Try our new research platform with insights from 80,000+ expert users
Head of Digital, Log Monitoring at a manufacturing company with 10,001+ employees
Real User
Reduces MTTR, improves efficiency, and centralizes everything
Pros and Cons
  • "It is lovely to have everything we need in one tool. Everything is quite centralized."
  • "Splunk Enterprise Security provides us with the relevant context to help guide our investigations, but it would be interesting to add even more context, for instance, in order to raise the level of risk."

What is our primary use case?

Our SOC is using Splunk Enterprise Security as a SIEM. There are multiple use cases because it is the main tool for SOC analysts. We have plenty of use cases. It is being used for IT security monitoring. We also have some custom use cases for securing applications, and then we have some of our internal customers developing their own use cases, but the main purpose is for the SOC. 

We also have additional work that is much more tricky. It is related to using AI to detect insider threats.

How has it helped my organization?

We are incredibly increasing our coverage as per the NIST framework that we are using for our operations. We are always extending. That really took off after implementing Splunk. It was a big moment. I have been there from the very beginning when we started implementing Splunk. Like everything new, there was a little bit of difficulty, but after we implemented it, there was an incredible increase in our SOC efficiency.

Splunk Enterprise Security helped reduce our mean time to resolve based on my knowledge, but I do not know how much because I left the department one year ago. On the security monitoring side, we have very good MTTR globally due to Splunk and the processes that we have implemented. We have other kinds of tools. Compared to the other tools that we have, our MTTR is far better with Splunk. Compared to last year, it was reduced by half. It was already good, but it got reduced a lot again.

What is most valuable?

It is lovely to have everything we need in one tool. Everything is quite centralized.

What needs improvement?

AI is everywhere, and I feel we need to discover AI for cybersecurity. For the last five years, I myself have been setting up a product and evaluating AI, but I did not do it directly in Splunk because there was some fear about the performance on the platform. That is why we chose to build our own platform based on S3 and AWS to execute and run all the algorithms and send the data back into Splunk. We now have a good base with innovation. We have a better base to directly include machine learning use cases in Enterprise Security, but they need to provide more capability and autonomy to the customers because there is so much to do. When you are lucky enough to have a team of data scientists, they want to have free hands, so a balance has to be found between giving a lot of autonomy and putting enough control so that they do not do something stupid on the platform, which can impact the performance of the standard use cases as well. There is a compromise there. However, AI is growing so fast that you absolutely need to give autonomy to the team to manage and utilize AI. This means providing easy access to a new library to build machine learning. They need to give us some flexibility, and it seems that with the new toolkit, it would be okay. Data scientists love to have freedom.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations, but it would be interesting to add even more context, for instance, in order to raise the level of risk. That is something that can be implemented. For instance, when it comes to data loss prevention, it is known that somebody who is about to leave the company is much more likely to take data. If you have this information soon enough, because the person will tell HR in advance, you can increase the level of risk for data loss for that user, but you do not always get to know that in advance. In such cases, some indicators in the behavior of the users who are leaving could be connected to AI. For instance, if you are using natural language programming, you can grab emails with words like farewell. There are plenty of keywords that you can catch that would give you an indication that the person is about to live. When you have internal and external partners, they can leave at any time. You do not always get the information in advance, but there are always farewell parties or goodbye emails. You can use this kind of information to raise their risk on the specific alert. It is efficient in the sense that you decrease your false positive rate. To me, AI is something that can help them accelerate and improve on what they are already doing.

Splunk Enterprise Security is very costly. Pricing is probably its weakest spot.

Buyer's Guide
Splunk Enterprise Security
October 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,578 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Splunk Enterprise Security for five years.

What do I think about the stability of the solution?

It is difficult for me to answer this because I am no longer in charge now, but it has been stable from my point of view. 

What do I think about the scalability of the solution?

Its scalability is good provided you have the right license agreements.

How are customer service and support?

It depends on the situation. The problem at our end that is causing an issue with Splunk support is that we have a customized environment. All the problems that we submit are specific, and they can be a bit difficult to solve. Sometimes, their support is efficient, and at other times, we have to wait a bit too much. I would rate their support a seven out of ten.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I arrived at the time of transition. We were probably using RSA. We switched to Splunk Enterprise Security because we needed to jump to another scale. At that time, there was a complete change in the organization. We went from the old-school cyber to Cyber 2.0. We had a lot more visionary managers who came from other companies where they were using Splunk. We had good guidance.

How was the initial setup?

It was a bit difficult. The team that was developing the use cases did not have access to the real data because it was not ready yet. Developing a SOC use case without the data is something difficult. That is why it was difficult at the start, but it was not because of the tool. It was more of a matter of project management. After we moved on from the difficult stage, we were able to set up this use case factory where some of the users were themselves in a bit of self-service mode. This was a very good opportunity to enlarge our capability to cover all the applications in the best way.

For Splunk, we use AWS. We have a private cloud. We have difficulty using cloud-managed services.

What's my experience with pricing, setup cost, and licensing?

Pricing is probably its weakest spot. As compared to some competitors, Splunk is really expensive. The problem is that Splunk is like Rolls-Royce. It, for sure, is the best one. Gartner says it, and the customers say it, but sometimes, you do not need a Rolls-Royce to get to the supermarket.

The problem is that the licenses that we have are based on the volume of data that we ingest in a day. The data that we ingest is only growing. We have initiatives right now for better management of data. It makes sense in terms of storage and sustainability. The pricing model, especially for Europe, is difficult. I am just out of the negotiation for the renewal of the license. We bought it for three more years. This is good news for Splunk and us as well, but it was difficult to discuss with the sales and explain that we do not want to increase the cost because it is already too high, and if it could decrease, it would make sense. It is very difficult to have this understanding from the salesperson. It was difficult for my Splunk account partner, but we succeeded in the negotiation. It was a win-win situation.

They need to be fair and adjust the price as per the usage. If the price goes too high, we would just have a no-go from the top level of the company, which would be a pity. It can happen. It has happened in the past. At some point, we had a big contract with Microsoft for Office, and we are now with Google. It was a shock for the partners and people inside the company, but we did it. We now have Google and we are happy with it. We still have a bit of Microsoft. It is important to keep the balance.

We are looking at the data usage with Splunk's team. We are looking at whether the data onboarded and dashboards that were developed are really being used to avoid wastage. If any data is not necessary in Splunk, we just stop onboarding it. We have other data to onboard anyway. My idea is to be much more efficient in the way we are managing the data and not to go the way we did it in the past.

Which other solutions did I evaluate?

I did not evaluate other solutions but the company surely did.

What other advice do I have?

Splunk's unified platform has not helped consolidate networking, security, and IT observability tools, but it is not due to the tool. It is due to our company's structure. I have been part of the two teams. Previously, I was a part of the cybersecurity team, so I was mainly using Splunk Enterprise Security. Now I am leading the monitoring team, so I am much more on the SOC side of it. My team provides service to the cybersecurity team that is using Splunk Enterprise Security. In the end, we would like to have one solution, which would be Splunk. I would like to have IT monitoring and observability with ITSI in the future. This centralization would bring efficiency. One log being used for cybersecurity purposes can also be used for other purposes. Everything centralized would give us the most efficient way to access the data and limit duplication. It would be helpful for efficiency, cost control, and data governance.

It is absolutely crucial for us to have end-to-end visibility. For our cybersecurity needs, we should be able to reach anything. We even have this concept of Watch the Watcher, so visibility is absolutely key. We have the opportunity to audit the activities of even cyber analysts, so visibility at every stage is absolutely key. For example, all the SIEMs could be under attack, which would be a nightmare. Imagine it being an insider threat where the attacker knows what exactly we are monitoring. With AI, these kinds of risks are even higher. That is why we are all in for AI for Cyber and Cyber for AI. We need absolute visibility, but we also need protection.

Splunk Enterprise Security has not helped us reduce our alert volume. We are not at that level of maturity at this point. It is still growing.

I would rate Splunk Enterprise Security a nine out of ten. It is a good product. It needs some progress with AI, but based on what I have seen in the presentation for version 8, it seems promising.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Valarie - PeerSpot reviewer
SOC Technical Lead at a educational organization with 1,001-5,000 employees
Real User
Top 5
Gives visibility into what's happening across the network and allows us to dig deep
Pros and Cons
  • "Being able to aggregate detection and alerts from various sources is valuable. Like everyone else, we have a wide range of tools in our shop. We are able to stop at one spot and look at all the data. All the data is able to come through, and we can then jump from source to source or index to index. We can dig deep whenever we need to and get a good high-level understanding."
  • "The first thing that comes to mind is a little bit of UI improvement. It sometimes can be a little bit buggy or it can be a little bit slow, but that varies from customer to customer."

What is our primary use case?

I am a SOC lead, and we use Splunk Enterprise Security for alerting and working on incident review and incident response.

We have a hybrid environment. We have multiple clouds, and I am not sure if I know all of them. We have Azure Labs that we run for our students. We have cloud infrastructure. We have cloud applications on which we need visibility.

How has it helped my organization?

It is incredibly important that Splunk Enterprise Security provides end-to-end visibility into our environment. Especially being someone who goes through and reviews the work that my analysts are doing, I definitely need to be able to see what is happening all across different domains of our network.

We work for a large university, and we have different tenants. We have our students, we have our employees, and then we have our faculty as well. We definitely need to see what is happening across the domains and across all of those different tenants.

It saves so much time for the analysts, and it empowers analysts to carry out and triage an investigation, wherever needed. It is incredibly hard when you are working with different sources. I am sure everyone else knows that you cannot expect your analysts to be on the same page a hundred percent at the time. They might say, "Hey, I am going to go into this tool and look at these alerts here, or I am going to look at these learnings from this tenant." We need to be looking at all of those sources and all of those domain tenants at once. Being able to see that across the board and not having to jump through hoops to get the data that we want is extremely valuable. I do not have metrics for how much time it has saved because I do not know our life before Splunk. I know that it has done a great deal in saving time, and now with SOAR, that is exactly what we are looking into. We are looking into how we can empower that even more by combining it with Splunk Enterprise Security.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data. Splunk is definitely a leader. I cannot imagine leaving and going to another toolset and losing the capabilities that I have and the knowledge that I have. One of my favorite parts is that Splunk really does work. It seems to me that they work with actual users on a regular basis, so they know the pain points and they know what our issues or our primary concerns are.

In the beginning, it did not help to reduce our alert volume, but over time, it has definitely reduced that. Something that I am working on primarily with our SOC right now is increasing our alert volume because we are at such a low rate because of the work that we can do with Splunk's capabilities. We are looking into what areas in the network we are not alerting on. We have these out-of-the-box solutions, but there is more that we can build on. It is empowering our analysts to be SOC analysts, but the more advanced employees can work towards the threat detection engineering side or SOAR playbooks development side or even just on the backend of setting up and working with the configuration.

I wish I knew the metrics for the reduction in the alert column. I do not have any approximation, but our SOC is very manageable. We are a small team, and the number of alerts varies. On average, we get about 300 alerts a day on the high end and 150 alerts on the low end. If it is a very slow day, such as a vacation for everyone, and we do not have a lot of activity going on in the network on our endpoints, it is very manageable for a small team. Our SOC team has four full-time employees, and then we have intern/student workers because we partner with the university. We have three of them. Overall, there are seven, but, of course, students are only able to work a maximum of 15 or 18 hours a week or something like that, so the amount of man-hours that we have is pretty low.

Splunk Enterprise Security provides us with the relevant context to help guide our investigations. There could be a little bit more, but that also depends on the analysts and where they are in terms of maturity. I have a lot of capability to go and expand what I need to, but others do need a little bit more guidance. It is not easy on the first look for someone who has never done it before, but after being taught or learning about it themselves, it is pretty easy. It can still do a whole lot. If we are looking at an anonymous login, we are getting context from different sources. If there is an activity that is going on in the host machine, such as we have some login from Russia, which has never happened before, there is a firing of alerts from the EDR. We can see our email gateway firing alerts regarding their account. That allows us to contextualize and correlate the activity very easily.

Splunk Enterprise Security has helped improve our organization’s business resilience. We are able to take action immediately when we need to. Especially with risk-based alerting, we are able to understand what needs attention right now. We do work with young junior analysts a lot, and we are able to teach them how to identify what needs action right now or what needs to be investigated or triaged immediately. We are basically protecting our crown jewels first rather than some low-hanging fruit that we see everyday, but we cannot take a look at them because we have some important things going on in our network.

What is most valuable?

Being able to aggregate detection and alerts from various sources is valuable. Like everyone else, we have a wide range of tools in our shop. We are able to stop at one spot and look at all the data. All the data is able to come through, and we can then jump from source to source or index to index. We can dig deep whenever we need to and get a good high-level understanding.

What needs improvement?

The first thing that comes to mind is a little bit of UI improvement. It sometimes can be a little bit buggy or it can be a little bit slow, but that varies from customer to customer.

They can continue building out the Splunk community. They can give incentives for customers to collaborate and expand on what they are working on but also provide the tools to do that. There are good resources such as Splunktern. I love the Splunk education and training platform. It is amazing, but I wish there was a little bit more. Especially with the training and applications, they should give us real-world use cases and a little bit more specific scenarios. Splunk is doing a much better job than a lot of other organizations or technology platforms, but they can give more information. I know a lot of my Splunk users do not even realize the things that they can do. On the user end or analyst end, they need to be more proactive by giving more of a heads-up. For example, I found out about Splunk research today. I have been using Splunk for two years. I wish I had known about that more. They can reach out more. The incentives can be anything. Some people love stickers, and some people love shirts. They can create that community a little bit more.

For how long have I used the solution?

I have been using Splunk Enterprise Security for two years.

What do I think about the stability of the solution?

I do not have much to compare it to, but it is stable. We hardly have any issues, and if we do, they are intermittent. 

What do I think about the scalability of the solution?

The growth that we have seen in my time with our team has not been so much. However, we are adding more tools or trying to gain visibility into different areas of our network or applications that have already been there. Being able to throw some logs in and figure out that we should be monitoring this has been painless. We can just forward them all over. It takes an hour or so. We get the answers and the visibility that we need.

How are customer service and support?

I have not used it very often. I have used it once or twice, but I would say that the engineers I have worked with have been extremely knowledgeable. They have helped so much. We were working on SOAR, and we were pretty new to it as a SOC. We were able to work all of that out with a Splunk engineer on a call. They were able to answer our questions. They knew our needs and goals, and they were able to guide us to meet those. That has been very effective for us. I would rate them a ten out of ten. I have not had any bad experiences.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We have had Splunk since I have been in this company.

What was our ROI?

Specifically, I cannot say what return on investment we are getting. However, when we look at other products, we know we are not going to have the same capabilities and we are not going to have the same response times and correlation capabilities. Even working with other vendors and getting their logs into Splunk can be a nightmare, and that is enough to make us say that we do not want to buy their product.

Which other solutions did I evaluate?

Personally, I have not evaluated other solutions. We do have some friends and family connections who use other solutions. Based on their stories, we will continue using Splunk.

What other advice do I have?

I would rate Splunk Enterprise Security a nine out of ten. If it were a ten, it would do my job for me.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
October 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,578 professionals have used our research since 2012.
CEO at Securis360 inc.
Reseller
Used for compliance, logging, log storage, and root cause analysis
Pros and Cons
  • "Splunk Enterprise Security is a standard solution providing good customer service and partnership."
  • "Splunk should have more regional data centers in the Middle East."

What is our primary use case?

We mostly use the solution for compliance, logging, log storage, and root cause analysis. In 2015, we had AIG as a client, and they only had Splunk. Splunk Enterprise Security is one of the oldest solutions that did the logging and storage.

How has it helped my organization?

Splunk has fantastic brand value, which helps us sell it as resellers. The solution's pricing is quite competitive. The solution meets all the requirements. As a compliance person, I know that log storage is very important for data privacy compliance guidelines like ISO or CCPA. Splunk provides all of those compliances and checkmarks.

What is most valuable?

I like that the tool is light and the agent doesn't slow down the machine. Splunk Enterprise Security is a standard solution providing good customer service and partnership.

What needs improvement?

The solution should improve regional knowledge of the new regulations coming out of the Middle East. As a consulting firm, we are currently targeting many Middle Eastern markets, including Saudi Arabia and Dubai. They don't have a local server support cloud center there, which is a big issue because they don't want their data to go out of the region. Splunk should have more regional data centers in the Middle East.

For how long have I used the solution?

I have been using Splunk Enterprise Security for five years.

What do I think about the stability of the solution?

Splunk Enterprise Security provides good stability.

What do I think about the scalability of the solution?

The solution's scalability is fantastic. Even 10,000 to 50,000 endpoints don't slow anything down. The servers, log storage, and ingestion work smoothly, irrespective of whether there are 5,000 or 50,000 endpoints.

How are customer service and support?

The solution’s technical support is very good.

What was our ROI?

Our customers using Splunk Enterprise Security don't have any compliance issues, and they don't get fined by the regulators, which saves them money.

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security's pricing is pretty competitive.

What other advice do I have?

I'm a consultant who uses Splunk for other clients. It's important for the clients that it can communicate with all kinds of devices, like firewalls, WAFs, servers, endpoints, switches, and routers. All of that is figured out over time, which is useful.

Splunk Enterprise Security is a good tool for finding security events across multi-cloud, on-premises, or hybrid environments.

Splunk has helped improve our organization's ability to ingest and normalize data. It can also identify and solve P1 or high-critical-priority problems in real-time.

Splunk Enterprise Security has helped us reduce our alert volume by around 50%.

The solution provides us with the relevant context to help guide our investigations, and this context information has impacted our investigation process. Having all the data in a single place does help with post-incident response and forensic root cause analysis.

Splunk Enterprise Security has significantly helped speed up our security investigations. I save 60% to 70% of my time because it's easier to find what I want to find through the tool's user interface.

Splunk Enterprise Security has helped reduce our mean time to resolve by around 50%.

Overall, I rate the solution ten out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
Flag as inappropriate
PeerSpot user
Splunk Enginer at UnitedHealth Group
Real User
Top 20
We can take predictive action to identify and block threats so that nothing harmful gets into the system
Pros and Cons
  • "Splunk helps us be more proactive. We can take predictive action to identify and block threats so that nothing harmful gets into the system."
  • "Splunk could have more built-in use case presets that customers can build on and customize."

What is our primary use case?

We use Splunk daily to find the root cause of attacks and analyze users attempting to access our system. We create incidents and address 5 to 7 simultaneously. Once we analyze and record the activity, we can delete the incident. Our admin team will verify whether it originated externally or internally. 

We use Splunk to respond to security incidents and for data analytics. We conduct custom correlations for the customer and write reports on any attacks. We set alerts for user behavior to discover threats, like if someone is constantly attempting to access our internal domain. The admin will identify that threat and block it. 

How has it helped my organization?

Splunk helps us be more proactive. We can take predictive action to identify and block threats so that nothing harmful gets into the system. With Splunk, we can monitor the entire environment from one place. It's a single point of control for all infrastructure, whether in the cloud or on-premise. Splunk has sped up our security investigations. 

What is most valuable?

I like Splunk's Notable Events. We have created several dashboards for our customers, where you can see the activity and number of alerts. The database receives data about the mask and domain IPs of any user trying to gain access.  We ingest logs from multiple antivirus products and firewalls and analyze them to prevent attacks and threat activities.

What needs improvement?

Splunk could have more built-in use case presets that customers can build on and customize. 

For how long have I used the solution?

I have used Splunk for 9 years. 

What do I think about the stability of the solution?

Splunk is a stable product.

How are customer service and support?

I rate Splunk technical support 8 out of 10. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used Dynatrace but switched to Splunk because it has more features. 

How was the initial setup?

Splunk is easy to deploy if you have some basic knowledge. You need experience. It doesn't require any maintenance after deployment. 

What's my experience with pricing, setup cost, and licensing?

Splunk is a good value for the features it provides. The license is costly, but it's better than the other tools. 

What other advice do I have?

I rate Splunk Enterprise Security 8 out of 10. I would recommend Splunk to others. It's one of the most powerful tools available. It's a valuable tool for monitoring infrastructure. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Senior Director, Detection Engineering Cyber Defense Services at a insurance company with 5,001-10,000 employees
Real User
Offers users with a single-point-of-view dashboard for incident response
Pros and Cons
  • "It is a very stable solution. I never really had a hiccup with the tool."
  • "The area of concern revolves around the fact that Splunk is an expensive product."

What is our primary use case?

I use the solution in my company, and most of the use cases are security-specific. My company uses it to transfer from our detection engineering team to our incident response team. For observability, our company is looking for security events within the tool, and we are logging all the critical security infrastructure and security-relevant logs to a platform for security operations.

How has it helped my organization?

The tool has helped to streamline our company's mean time spent in understanding security-relevant events and mitigating those risks.

What is most valuable?

Some of the tool's best features are RBA and UBA. I also like the tool's single point-of-view dashboard for incident response. The case management area is one of its good features.

The tool has reduced the mean time needed to resolve. The reason is that the dashboard offers a single point of view, especially in areas where people aren't spread out. Our company is getting all the relevant data in there, and we are able to identify the problem instead of having to go to multiple tools or different interfaces.

It is very important for our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. It is our company's way of understanding what is going on in our environment, and then it is our way of handling security events, relevant events, mitigating risk, understanding risk, quantifying risk, producing metrics, and everything else.

Splunk Enterprise Security provides our company with the relevant context to help guide your investigations. The tool has allowed us to gain better visibility and accuracy into security events.

The tool has helped our company improve the resiliency of our security operations. This is based on the fact that we don't have full adoption of the tool for all users in our organization, especially not Splunk Enterprise Security.

My company uses the tool for security operations, and we have built our security operations around Splunk based on what it can do and its performance.

What needs improvement?

I think Splunk is already improving its products. Some of the features that Splunk has been bringing out, like Splunk Attack Analyzer, while covering some of the other areas, like regulatory compliance and asset security, are good. It is just a matter of the customers being able to see the new features introduced by Splunk and get a demo to see if it makes sense for their work.

I already have Splunk Enterprise Security set up. My company is interested in seeing Splunk Attack Analyzer, and that is why we are dealing with Splunk's point of contact right now.

The area of concern revolves around the fact that Splunk is an expensive product. Splunk's expensive nature is an aspect where improvements are needed.

For how long have I used the solution?

I have been using Splunk Enterprise Security for six to seven years.

What do I think about the stability of the solution?

It is a very stable solution. I never really had a hiccup with the tool. Even for migrations or anything, our company has never had to use Splunk's partners, and it has been a seamless process.

What do I think about the scalability of the solution?

The tool's scalability has been good, but it depends on the organization and how Splunk is being adopted there.

How are customer service and support?

The solution's technical support can be hit or miss, but it is mostly positive. I can't give you all the scenarios, but the one thing that I do like about Splunk is that if there ever is a hiccup, a simple phone call from our end can ensure that Splunk's technical team takes care of our problems. I rate the technical support a ten out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have used many products in the past, but they were not in my present organization. It has been a long time since I used some products, as it was done back during my engineering days. I used to use HPE ArcSight. I have been through McAfee products, such as McAfee Nitro, back in the day. I have been an active Splunk business owner for almost a decade now.

How was the initial setup?

The product's initial setup phase has been perfect since our company uses the cloud services offered by Splunk.

The solution is deployed on the cloud services offered by Splunk.

What about the implementation team?

The reseller that my company gets in touch with to help with the implementation part is called GuidePoint Security. My company's experience with GuidePoint Security has been good.

What was our ROI?

I think that based on my experience in the organizations that I have been in with Splunk, the tool definitely fetches a return on investment because it allows us to streamline security-relevant events that we need to take care of quickly. Overall, the tool saves us from any impact on our finances and business.

What's my experience with pricing, setup cost, and licensing?

Most of Splunk's customers are trying to find ways to keep the pricing from the ingest licensing model of Splunk down. What that comes down to is that we have to manage the platform. For our company, being a security enterprise and using it for security-relevant data allows us to streamline and control the ingest licensing model because we don't put in a lot of stuff in the tool. We have other things that we output to different data lakes. Splunk has always been on the expensive side.

What other advice do I have?

The ease of deploying the tool, its great customer service, and the development you can do within the tool is very seamless, so I would recommend the product to my peers since it is a great solution.

I rate Splunk Enterprise Security a ten out of ten.

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Focused ops analyst at Navy Federal Credit Union
Real User
Top 20
Has the best search capabilities by far
Pros and Cons
  • "I very much enjoy Splunk's robust search nature, which enables me to find the data I want within the data I have."
  • "There's been a big push for SBC compute over the ingestion model, which will hamper us."

What is our primary use case?

We use the solution for monitoring and detection and for threat hunting.

How has it helped my organization?

On the threat-hunting side, we can easily hunt down what we're looking for because Splunk's language parses the data coming in and allows us to utilize it to filter down through the data we need.

What is most valuable?

I very much enjoy Splunk's robust search nature, which enables me to find the data I want within the data I have. It's helpful for doing an investigation, whether that's an incident response or threat hunting.

It is important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That way, we can see where the data is throughout the entire process, depending on where we are in the incident.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

Splunk Enterprise Security has, by far, the best search capabilities. It ties that into alerts and notables, allowing you to refine what you want to see in your data.

What needs improvement?

There's been a big push for SBC compute over the ingestion model, which will hamper us. We're trying to increase our search counts with things like risk-based alerting, and I think that change will hinder our process.

For how long have I used the solution?

I have been using Splunk Enterprise Security for eight years.

What do I think about the stability of the solution?

Splunk Enterprise Security is a stable solution.

What do I think about the scalability of the solution?

Splunk Enterprise Security is a scalable solution.

What's my experience with pricing, setup cost, and licensing?

I think we recently switched to the SVC pricing compared to the ingest pricing. I don't know if that was the right move for us.

What other advice do I have?

Overall, I rate the solution an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Sr. Security Engineer at a sports company with 501-1,000 employees
Real User
The user interface gives you a single dashboard to directly view all high-level information
Pros and Cons
  • "I like Splunk's automated threat detection and orchestration capabilities. Splunk offers a single solution for analyzing, aggregating, correlating, monitoring, reporting, visualizing, etc. You can get all of these capabilities in one place. On top of that, it provides a cloud, testing, on-premise, and hybrid solution, giving customers more flexibility for their use cases."
  • "We've sometimes faced issues with upgrades. The incident review dashboard sometimes breaks after updates. When we add a space or something in the description or anywhere in the SQL, the drill-down value may be reset with a blank value. Before rolling out any software, they should test it thoroughly and ensure clients won't have issues with the upgraded version. It should be compatible with all or most of the apps. All major issues must be addressed before rolling out the upgrade."

What is our primary use case?

I use Splunk for visualization, reporting, monitoring, log aggregation, and other security purposes. We gather various logs into one place and analyze them based on specific business use cases to get high-level insights that inform decision-making at every level of the organization. We also use it to aggregate other IT logs — not just security. 

Our organization is working in a massive on-prem environment. We're one of Splunk's oldest clients. It's convenient to migrate everything to the cloud, and we would have more flexibility. However, we currently have our resources and everything established to use Splunk on-premises, so we aren't switching to a cloud environment.

How has it helped my organization?

Splunk allows us to monitor logs and track suspicious activity in real time. With the help of the SOAR platform powered by AI and ML, we can respond quickly. Our security posture is better, and we can resolve security incidents quicker. Splunk has improved our visibility by providing critical security metrics in our dashboard and strengthened our security controls. 

The number of alerts we receive is similar to what we saw using our previous solution. While it hasn't necessarily reduced our alerts, Splunk is improving our resolution time and overall security.

What is most valuable?

I like Splunk's automated threat detection and orchestration capabilities. Splunk offers a single solution for analyzing, aggregating, correlating, monitoring, reporting, visualizing, etc. You can get all of these capabilities in one place. On top of that, it provides a cloud, testing, on-premise, and hybrid solution, giving customers more flexibility for their use cases. 

Splunk's real-time monitoring is one of its best features.  The user interface gives you a single dashboard to directly view all the high-level information. The security incident monitoring and investigation page is also very helpful. You can document an investigation step by step. Many investigators can work on a single incident also based on their shifts. Everyone can add notes on the investigation page. 

The incident response features are based on real-time data. The monitoring team can immediately take over an incident and prioritize tasks based on risk scores. We can assign multiple technicians to one security incident based on their skill, improving resolution time.  The incident review dashboard provides many useful details, like the indicators of compromise and risk scores.

We can get threat intelligence from multiple platforms, including the latest known IOCs, to support our response to security incidents. We store the threat data from various sources in a centralized place, and it updates every six to 12 hours. 

The MITRE ATT&CK framework feature is helpful for understanding which phase an incident is in and what the next steps are so a technician can prevent it from progressing. It gives us a detailed overview of other tactics it might be associated with, enabling us to stay vigilant. We can correlate with other simultaneous or sequential incidents and take action to strengthen our security based on these incidents.

What needs improvement?

We've sometimes faced issues with upgrades. The incident review dashboard sometimes breaks after updates. When we add a space or something in the description or anywhere in the SQL, the drill-down value may be reset with a blank value. Before rolling out any software, they should test it thoroughly and ensure clients won't have issues with the upgraded version. It should be compatible with all or most of the apps. All major issues must be addressed before rolling out the upgrade.

For how long have I used the solution?

I have used Splunk for eight or nine years. 

What do I think about the stability of the solution?

I rate Splunk nine out of 10 for stability. 

What do I think about the scalability of the solution?

I rate Splunk eight out of 10 for scalability. Scalability is always a challenge. The larger your environment, the more issues you'll have. There aren't many problems with Splunk on the cloud, but scaling can be challenging in an on-prem environment. If you're ingesting a significant volume of data, you need a proper maintenance routine to maintain your base architecture. Sometimes, it's a bucket application. It can take a few hours to reset those things, and network issues might contribute to that. 

How are customer service and support?

I rate Splunk support eight out of 10. It varies based on your data volume and number of licenses. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I have used several solutions for different clients, including QRadar, Palantir, and Microsoft Sentinel. Splunk has more capabilities than QRadar. It's also more flexible and user-friendly. You can modify and customize the solution to show you the information you want.

How was the initial setup?

The deployment depends on the environment. It may take only a couple of weeks to deploy Splunk in a small environment, but a larger environment involves a detailed process that may take months. It helps to have a larger staff. It also depends on how process-oriented an organization is. Some organizations will take much more time in the planning and design phase. 

After deployment, Splunk requires a good deal of maintenance, depending on the volume of data you're ingesting and your user base. It may require multiple resources to manage this environment. 

What was our ROI?

Splunk improves our security controls, resolution time, and threat-handling capabilities. We're saving time and resources, meaning more money for our clients. 

What's my experience with pricing, setup cost, and licensing?

I don't know about Splunk's pricing because I work on the technical side, but I know it is a costly platform. There are cheaper products and some open-source ones, but Splunk costs a lot because of the features it provides. Still, the pricing is a concern for many of my clients, and more would use Splunk if they lowered the cost a bit. 

What other advice do I have?

I rate Splunk Enterprise Security nine out of 10. I would recommend Splunk because it covers multiple services in one place. It also has a strong developer community. You can easily get help from community support. Splunk is a versatile product that competes well with leading security tools like Microsoft Sentinel.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
MANISH CHOUDHARY. - PeerSpot reviewer
SOC manager at a tech vendor with 10,001+ employees
Real User
Top 10
We can easily identify users and devices, but the plugins have room for improvement
Pros and Cons
  • "Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools."
  • "Splunk can improve its third-party device application plugins."

What is our primary use case?

We use Splunk Enterprise Security to analyze log data for log monitoring, creating use cases, onboarding, and incident response.

We wanted a single security tool that could immediately identify notable events that could be reported as security breaches, and then enable us to take intelligent action without having to purchase additional security tools.

We have two customers with hybrid cloud solutions. Neither customer is fully cloud-based. Our implementation is based on the customer's requirements, such as compliance, data ownership, and administration. We plan the implementation of Splunk cloud or hybrid models based on these requirements. We discuss the benefits and solutions with the customer to ensure that we are not breaching any compliance policies and that we are selecting the right model for their needs. Because we have multiple customers, we must also consider how to manage this process effectively.

How has it helped my organization?

We use multiple cloud environments for our clients, including AWS, Azure, GCP, and private cloud. We can easily integrate Splunk Enterprise Security and segregate the logs based on the type of index we create for each customer. When we create different indexes, we can segregate the types of logs based on the device type. This makes it easy to separate logs from different universal providers, different machines, and specific types of indexes dedicated to particular customers or groups.

We use threat topology and MITRE ATT&CK to create and integrate use cases for network framework detection and visualization in Splunk. Splunk helps us segregate and integrate use cases based on different threat detections and provides a complete dashboard view of how use cases match with detected threats.

When discussing MITRE ATT&CK and topology, we sometimes encounter use cases where we must ensure the logic is properly implemented to detect the threat and trigger the alert. This is because log access may involve specific teams and their associated MITRE ATT&CK tactics and techniques. We must be very specific about the information we are observing in order to derive the correct information and framework topology.

Splunk is one of the easiest solutions for analyzing malicious activities and detecting breaches. It is flexible enough to work with small teams, and it provides a broad view of the data, allowing us to segregate and fine-tune the analysis based on the customer's requirements.

Splunk Enterprise Security can help us detect threats faster when it is properly configured. We have implemented over 400 use cases for specific types of malware and other threat detection. In over 70 percent of environments, Splunk is able to detect threats faster than other solutions.

It has helped our organization improve by integrating with cloud providers. Splunk enables us to blacklist specific data types and ranges to reduce our losses, based on our requirements.

We have reduced our alert volume by around 50 percent with Splunk. When we first started creating and using Splunk use cases, we received around 700 alerts. Splunk can merge different sources of use cases into one to identify false positives, which has been very helpful for us.

Splunk has helped speed up our security investigations by almost 70 percent. We have a dedicated incident response team. They use the Splunk incident reports to help with their investigations. 

What is most valuable?

Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools.

We can easily identify the number of security devices and users that are authenticated on the network and present the information to the executive team.

What needs improvement?

Splunk can improve its third-party device application plugins.

For how long have I used the solution?

I have been using Splunk Enterprise Security for five years.

What do I think about the stability of the solution?

Splunk Enterprise Security is stable.

What do I think about the scalability of the solution?

Splunk Enterprise Security is scalable.

How are customer service and support?

The Splunk technical support is good but their call times differ.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I previously used IBM Security QRadar, Azure Sentinel, and McAfee Network Security Platform. Splunk Enterprise Security is designed for multiple platforms and is easier to implement.

Splunk is much faster when used correctly and has many tools. With the exception of Sentinel, the other solutions do not have many tools. With Sentinel, we have to define the indexes and all those things, such as the aggregation of logs. It is easy to do searches in Splunk, even in a large environment. I find Splunk to be more efficient than the other solutions I have used in the past.

How was the initial setup?

The initial deployment is straightforward. We install the solution and define the roles of each server and the data it will store. The deployment in our test environment took 13 hours.

What was our ROI?

We have seen a return on our investment in Splunk. The variety of options that Splunk provides is a great selling point for our customers.

What's my experience with pricing, setup cost, and licensing?

While Splunk is more expensive than other solutions, we would still choose it because of its capabilities. Splunk is a leader in the field and provides a wider range of data and security features than other SIEM solutions.

I would recommend Splunk over any of the less expensive SIEM products. I recommend the license-based solution over the user-based solution that Splunk offers. If I had to recommend any other SIEM other than Splunk, it would be Microsoft Sentinel.

What other advice do I have?

I would rate Splunk Enterprise Security seven out of ten.

The threat detection capabilities that we get by default are very basic. However, if we want to implement the most effective threat protection on the internet, we need to purchase a relevant solution for intelligent threat protection. This will provide us with more feeds for enterprise security and help us to integrate data by matching the data to the target and to the security with our Splunk.

We have 60 percent of our customers using Splunk Enterprise Security in their environments.

Splunk maintenance is required for updates. 

Splunk provides a centralized monitoring platform, eliminating the need to switch between different platforms to monitor security. Splunk provides a clear view of different security losses and incidents, and we can onboard any number of devices as needed. We can monitor our entire environment from one place, requiring only one team to monitor it. Splunk adds a lot of value currently.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: October 2024
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.