Nagendra Nekkala. - PeerSpot reviewer
Senior Manager ICT & Innovations at Bangalore International Airport Limited
Real User
Top 5Leaderboard
Helps increase our security posture, saves time, and improves visibility
Pros and Cons
  • "The ability to manage large amounts of generated data and to protect all devices from unauthorized use are the most valuable features."
  • "The threat detection library needs to increase the frequency at which the playbooks are updated."

What is our primary use case?

We use Splunk Enterprise Security to enhance our overall security posture by proactively managing our threat profile across the enterprise. This enables us to see valuable insights and effectively monitor all OEM devices.

How has it helped my organization?

It is easy to monitor multiple cloud environments using Splunk Enterprise Security. This helps with DLP and security across our SAM solutions.

Although I favor the cloud's convenience for credential management, Splunk Enterprise Security's visibility remains consistent across multiple environments.

Splunk's insider threat detection reveals daily threat events and highlights anomalous behavior on the dashboard.

The threat intelligence management feature continuously monitors activities across cloud, on-premises, and hybrid environments, and informs stakeholders of any suspicious activity.

Splunk Enterprise Security has endpoint security protection to analyze malicious activities and detect breaches through the analysis of new log content.

Splunk Enterprise Security helps us detect threats two to three hours faster.

Splunk Enterprise Security has helped improve our incident review times, security posture, network protection, and endpoint protection. We saw the benefits within the first month of use.

A decrease in false positives has enhanced our risk analysis, security posture, and the speed of our alert investigations, resulting in daily time savings of four hours. 

Splunk Enterprise Security has saved us two hours per day of investigation time.

What is most valuable?

The ability to manage large amounts of generated data and to protect all devices from unauthorized use are the most valuable features.

What needs improvement?

The threat detection library needs to increase the frequency at which the playbooks are updated. 

Buyer's Guide
Splunk Enterprise Security
February 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: February 2024.
757,198 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Splunk Enterprise Security for two years.

What do I think about the stability of the solution?

Splunk Enterprise Security is stable.

What do I think about the scalability of the solution?

Splunk Enterprise Security is scalable.

How are customer service and support?

The technical support is good.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial deployment was straightforward. We wanted to cover all of our endpoints. Two people were required for the deployment.

What about the implementation team?

The implementation was completed in-house.

What other advice do I have?

I would rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security is a leader in the market and provides great visibility into an organization's security posture.

We have 100 people that are using Splunk Enterprise Security.

The continuous visibility and SOC requirements of the resilience Splunk offers are a benefit to any SIEM. Resilience is important for organizations that run a hybrid environment.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
System Administrator at Nournet communications
Real User
Top 20
Helps reduce threat detection time, security investigation time, and alert volumes
Pros and Cons
  • "The most valuable feature of Splunk Enterprise Security is the comprehensive logging capabilities it provides."
  • "Given the ever-increasing number of threats, I would like Splunk to update its threat signatures more frequently."

What is our primary use case?

We use Splunk Enterprise Security to identify and resolve critical issues and errors within our environment.

How has it helped my organization?

The visibility that Splunk Enterprise Security provides is good. We can easily find the data we need using the logs.

Monitoring multiple cloud environments using Splunk Enterprise Security was not difficult.

Splunk Enterprise Security's insider threat detection capabilities enable us to effortlessly identify unknown threats and anonymous user behavior.

Splunk Enterprise Security helped us analyze malicious activities and detect breaches between 50 to 90 percent faster.

Splunk Enterprise Security has helped reduce alert volumes by up to 90 percent.

Splunk Enterprise Security has helped speed up our security investigation time by almost 90 percent.

What is most valuable?

The most valuable feature of Splunk Enterprise Security is the comprehensive logging capabilities it provides.

What needs improvement?

The price of Splunk Enterprise Security is high and can be improved.

Given the ever-increasing number of threats, I would like Splunk to update its threat signatures more frequently.

For how long have I used the solution?

I have been using Splunk Enterprise Security for one and a half years.

What do I think about the stability of the solution?

Splunk Enterprise Security is stable.

What do I think about the scalability of the solution?

Splunk Enterprise Security is scalable.

The resilience of Splunk allows organizations to protect their data and resolve vulnerabilities quickly.

How are customer service and support?

The technical support provides good resolution.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I had previously used Loggly, developed by SolarWinds and Elastic. However, I found it to be inaccurate and slow. Elastic offers a free version of its solution, which is more commonly used by smaller businesses.

What about the implementation team?

The implementation was completed by a third party.

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security is expensive. I would rate the cost an eight out of ten with ten being the most expensive.

I recommend Splunk Enterprise Security over cheaper SIEM solutions because of its offerings.

What other advice do I have?

I would rate Splunk Enterprise Security nine out of ten.

Splunk Enterprise Security does not require any maintenance. It is plug-and-play.

I recommend Splunk Enterprise Security for organizations that want to detect threats quickly.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Flag as inappropriate
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
February 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: February 2024.
757,198 professionals have used our research since 2012.
Security Engineer at State of Nevada
User
Good at predicting, identifying, and solving problems in real-time
Pros and Cons
  • "Splunk has helped improve our company's resilience level."
  • "The upgrading process could be smoother."

What is our primary use case?

We primarily use the solution for SOC purposes.

How has it helped my organization?

The solution has made it possible to check and detect our traffic a bit better.

What is most valuable?

The incident review is great for working inside of a SOC if we want to see everything and we want to configure notables and have all notable features, it's useful. We're moving to SOAR right now for configuration for our work center. As far as ES in our work center, just detecting our notables and monitoring all our traffic, is the most important feature as far as what our day-to-day is concerned. 

Splunk has helped us with mean time to respond, although I don't have exact numbers.

Splunk has helped improve our company's resilience level.

Splunk is very good at predicting, identifying, and solving problems in real time. I've never used anything else, however, I'm impressed with the ease of it and the ability to find anything and everything we need. 

What needs improvement?

I do a lot of the maintenance. A lot of my workers are fresh into Linux and need to monitor, manage, and do maintenance on it. They should bring back the maintenance mode button. Splunk used to have it and they took that feature away.

The upgrading process could be smoother. 

For how long have I used the solution?

I've used the solution for about a year.

What do I think about the stability of the solution?

The stability and availability of Splunk are great. It does get weird when we initially update items, however. That's the only time we see issues. It may try to input data in areas it doesn't need to. That said, we are aware of the quirks of the setup. 

What do I think about the scalability of the solution?

Scaling is easy if you have done it a couple of times. 

The environment I have has multiple servers. We might have around 100 servers. 

How are customer service and support?

Splunk support is very communicative about our concerns. That said, the answers I've gotten back don't make sense. I'm not sure if they communicated our issue in the right way or if they misunderstood, however, they did not correctly address our issue. In the end, we do have a good dialogue. I now expect that they will misunderstand the problem on the first round and we have to go back and forth. The effort is there to try to understand. 

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

The company may have had QRadar for a while before Splunk. I wasn't around when they switched to Splunk so I cannot compare the two. 

How was the initial setup?

I was not involved in the initial deployment of Splunk. 

What was our ROI?

The company has witnessed an ROI in terms of the amount of time saved via being able to tweak our searches. The docs are great. They help tremendously in filling knowledge gaps. The ROI is solid. 

What's my experience with pricing, setup cost, and licensing?

I don't deal with pricing or licensing. 

What other advice do I have?

I've only worked with Splunk as far as data ingestion. 

The solution does take a bit of understanding. It does need improvements in some areas. I'd rate the solution seven out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Insider Thread Consultant at a manufacturing company with 10,001+ employees
Consultant
A reliable and stable solution that helps detect internal threats and improves business resilience
Pros and Cons
  • "The search lookups are useful."
  • "The product must improve insider threat detection."

What is our primary use case?

My use cases are very limited. I use the product mostly to detect internal threats like data exfiltration.

What is most valuable?

I am a basic user. The search lookups are useful.

What needs improvement?

The product must improve insider threat detection. Almost everything is outside in, but not inside out.

For how long have I used the solution?

I have been using the solution for four years.

What do I think about the stability of the solution?

The solution is very reliable. I like its stability. It always works.

What do I think about the scalability of the solution?

Sometimes, it takes time when we need additional information or something extra. However, the tool’s able to do it.

How are customer service and support?

I haven’t contacted the support team. I reach out to the internal expert. My searches and my requirements are very basic. The expert is great. He’s always able to help me and guide me.

How would you rate customer service and support?

Positive

What was our ROI?

We do see a return on investment. The product saves us time by automating reports and helping us see data.

What other advice do I have?

The solution helps reduce our mean time to resolve. It’s great to automate some tasks. I believe Splunk has helped improve our organization’s business resilience. We have become stronger in insider threats by just stopping things, being able to show what is leaving, and taking action on it. It's very useful when I try to identify events.

When I started working in my organization, they were using Splunk. Overall, I rate the product a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Senior Analyst at a computer software company with 11-50 employees
Real User
Top 5
Enables us to use rules to segregate data and restrict our clients from seeing each other's data
Pros and Cons
  • "Splunk's strongest suit is its user interface. We can integrate multiple solutions and adjust settings in the Splunk interface."
  • "Splunk could improve its default machine-learning models. Also, Splunk Enterprise's native threat intelligence isn't that good. I prefer a custom threat intelligence model."

What is our primary use case?

We implement Splunk Enterprise Security for our clients. It's a security tool that centralizes data in one location, so we can gain some insights from it. We can also use it to create alerts. For example, let's say we want to find an incident in real-time, but we can't sit in a single place and stare at the screen. We can create alerts that send us an email notification or automate a response. 

How has it helped my organization?

Splunk helped us reduce our alert volume because we could optimize our risk-based user analytics. I estimate that we decreased alerts by around 20 percent. Splunk Enterprise Security speeds up security investigations.  

What is most valuable?

Splunk's strongest suit is its user interface. We can integrate multiple solutions and adjust settings in the Splunk interface. It's easy to manage multi-cloud environments because we can use rules to segregate the data and restrict our clients from seeing each other's data. Splunk has a lot of plugins and add-ons that provide a lot of information about our cloud and on-prem environments.

Splunk's MITRE ATT&CK framework is excellent, but I haven't used it for investigation. I'm primarily involved in implementation and development. Splunk Enterprise Security is solid detection-wise and faster than many other SIEM solutions. 

We already have an antivirus solution in our environment, so Splunk detects viruses based on that. Once the antivirus detects something, it generates an incident in Splunk that we can investigate. The detection time depends on a few factors, but we can detect a threat in two to five minutes under ideal conditions. 

What needs improvement?

Splunk could improve its default machine-learning models. Also, Splunk Enterprise's native threat intelligence isn't that good. I prefer a custom threat intelligence model. 

For how long have I used the solution?

We have used Splunk Enterprise Security for more than three years.

What do I think about the stability of the solution?

Splunk Enterprise Security has gone through multiple versions, so the product is mature and stable. It's currently on version 9. 

What do I think about the scalability of the solution?

We can scale Splunk Enterprise Security horizontally or vertically. It isn't a problem. 

How are customer service and support?

I rate Splunk support 10 out of 10. Splunk has better support than other vendors I've worked with. It's better than IBM support. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously partnered with IBM and used QRadar as our SIEM. Splunk is faster, and I like the look and feel better. If you are looking for the cheapest solution, some free open-source SIEM solutions exist. They can do many of the same things that Splunk can do but maybe not at the same scale. 

How was the initial setup?

One person can deploy Splunk Enterprise Security in 15 to 20 days, depending on the architecture. It takes less time to deploy on the cloud. The solution requires some maintenance. We need someone there to monitor it in case there are issues. Three people are responsible for maintaining Splunk. 

What's my experience with pricing, setup cost, and licensing?

Splunk costs a little more than other SIEM solutions. It would be nice if they could bring the price down a little. 

What other advice do I have?

I rate Splunk Enterprise Security nine out of 10.

Disclosure: My company has a business relationship with this vendor other than being a customer: Integrator
Flag as inappropriate
PeerSpot user
Riaz Ahmmed - PeerSpot reviewer
Team Lead at ATSS
Reseller
Provides actionable intelligence, continuous monitoring, and advanced threat protection
Pros and Cons
  • "Splunk Enterprise Security is able to process a huge amount of data without any issues."
  • "Splunk Enterprise Security can be improved by including backup network detection and response and safe management to the paid platform."

What is our primary use case?

We use Splunk Enterprise Security for continuous monitoring, ensuring compliance, and advanced threat protection.

How has it helped my organization?

Splunk Enterprise Security allows our customers to view their decentralized infrastructure from a single pane of glass.

Splunk Enterprise Security's insider threat detection capabilities are good.

The actionable intelligence provided by the threat intelligence management feature is effective. The solutions are integrated into the platform, and customers receive operational insights.

The MITRE ATT&CK framework's ability to help our customers discover the overall scope of an incident is high.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches.

Splunk Enterprise Security helps our customers detect threats faster.

Splunk Enterprise Security is able to process a huge amount of data without any issues. Our customers can see the benefits two to three months after deployment.

Splunk Enterprise Security helped our customers reduce their alert volume by 40 to 50 percent.

Splunk Enterprise Security helped speed up our customer's investigation time by 60 to 70 percent.

What needs improvement?

Splunk Enterprise Security can be improved by including backup network detection and response and safe management to the paid platform.

Splunk Enterprise Security's price is high and could be lowered.

For how long have I used the solution?

I have been using Splunk Enterprise Security for two years.

What do I think about the stability of the solution?

I would rate the stability a ten out of ten.

What do I think about the scalability of the solution?

I would rate the scalability a ten out of ten.

How are customer service and support?

The technical support response time is delayed and they can take two to three days to respond sometimes.

How would you rate customer service and support?

Neutral

How was the initial setup?

The initial setup can be complex for customers who require advanced configurations and customizations, but it is straightforward for basic usage.

The deployment process is simple. We first identify the platform and determine if it is a unique system. Then, we define the virtual environment. After installing Splunk's platform, we perform the necessary configurations and other tasks. Splunk Security Essentials is a premium add-on for this tool, which is installed on the Splunk Enterprise platform.

The number of people required for the deployment depends on the customer's requirements and the use case they are developing. For example, if the customer needs to gather data from their network, we will need to add network experts to the project. However, if we already have experts who are familiar with the API and application connectivity, we may not need to add any additional people. Ultimately, the number of technical resources required will depend on the specific needs of the project. On average, we require four to five technical people for deployment.

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security's price is high. I would rate the cost as ten out of ten, with ten being the most expensive.

What other advice do I have?

I would rate Splunk Enterprise Security an eight out of ten.

There are many cheaper solutions available on the market but Splunk Enterprise Security is worth the cost.

Two people are required for maintenance.

The value Resilience offers our customers is good.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: reseller
Flag as inappropriate
PeerSpot user
Chetankumar Savalagimath - PeerSpot reviewer
Delivery Manager at a tech services company with 1,001-5,000 employees
Real User
Top 5Leaderboard
Provides more versatile dashboard than other solutions and very fast search functionality
Pros and Cons
  • "Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great."
  • "Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported."

What is our primary use case?

The primary use case is security and data analytics. In general, we manage and maintain it for our customers.

What is most valuable?

Application-wise, it's good. Searching and reporting of data analytics is also fine. The dashboard presentations are also a good feature. Overall, its functionality is great and that's why we use it.

What needs improvement?

I would like additional support for custom add-ons, as well as cloud integration. Right now we have concerns because we have to customize applications for direct integration. But on-prem, it is all functional. We have to build it on our own. Previously, they developed custom connectors or add-ons for a lot of applications. But that number can be upgraded still. There are a lot of applications in the world that are not supported.

For how long have I used the solution?

I have been using Splunk Enterprise Security for over two years. I received Splunk certification six years ago.

What do I think about the stability of the solution?

The stability of the functionality is good, but there are still bugs that keep hindering things. I am waiting but they are there and that is quite common. I think they have not yet been resolved from the older versions. The stability is a seven-plus out of 10.

What do I think about the scalability of the solution?

It's scalable for all environments. Splunk Cloud can be scaled to a small or medium company, depending on their inputs or log resources. Businesses at the high end of medium-sized, and large companies, can go with the on-prem solution.

How are customer service and support?

The technical support is good. 

However, there is a lot of delay nowadays. The last time we raised a case, it took quite a long for them to come back with their first response. That's not for a P1 or P2, but if it is a P3, they don't respond at the earliest. When they respond, it is quite late and we have to ask again. The first response is never an answer. It's always a query.

Still, the people I have worked with there are all an eight-plus out of 10.

How would you rate customer service and support?

Positive

How was the initial setup?

It can be deployed on-prem or in the cloud. With the latter, it is Splunk's own cloud. 

The deployment of the solution is straightforward, but there is a lot of engineering activity involved in designing the architecture. Architecture-wise, it is fine, and bringing things together is not that tough, but maintaining and managing it is a tough job because we don't work in a normal environment. We work on something that is very defined to the network. That means we have to build everything from scratch and deploy it.

The implementation strategy depends on how the customer wants things done. But in general, I go through research and then develop and design. I ask the client what sort of environment is flexible or cost-effective for them. It's done in stages. It's a matter of understanding the infrastructure and then implementing,  or designing and handing it over to them.

If there are 1,000 log sources, it takes six months to a year to deploy, depending on how the customer is supporting the process.

Every on-prem solution involves maintenance, including keeping things upgraded, whereas Splunk Cloud is managed by the vendor. The number of people involved in on-prem maintenance depends on the size of the environment and how long our update window is. For example, if we have a green zone at midnight for three hours, and we want to upgrade at least 20 to 30 servers, it will take eight to 10 people working in parallel. But for a very small environment of 10 servers, it will take four people to manage it, or if we have a large window, even three people can do it.

What about the implementation team?

We do it ourselves.

What's my experience with pricing, setup cost, and licensing?

The pricing depends on the bandwidth of an organization and is good compared to some SIEM tools. IBM, for example, is quite costly. But Microsoft Sentinel is notably cheaper. I have seen a lot of organizations running on Sentinel.

IBM is for quite large organizations that don't want to have their data on the cloud. Splunk has both on-prem and cloud modules and, cost-wise, Splunk is better. Internally, we cannot push everything to the cloud. That would become too expensive for us. So we have it sitting in our data center and that is good.

Which other solutions did I evaluate?

I have worked with a number of other solutions including RSA enVision, IBM QRadar, as well as Microsoft, McAfee, and LogRhythm. 

If we want to build an add-on feature in Splunk, we have to build an application and then integrate it. But in other applications, there is a direct integration that only requires partial development and it will start functioning.

Also, there is something called correlation in a lot of other tools. Splunk also has it but it consumes a lot of memory. If we tag all the data, it is better, but tagging consumes storage and it makes it a little tough for us to run a search. 

If we want to work towards SOAR, if there were a little bit more integration so that our customers could taste SOAR, they could then move to Splunk Phantom or other tools. Right now, people are not using automation. Everything is done manually. Hopefully, that's the next goal. Security operations will surely use SOAR and, once they start tasting it, they'll get to know how it works. They can design playbooks and start using it. That's an additional feature I would like Splunk to bring in. 

Splunk's advantage is its search capability. Its search is notably faster. With Splunk, I can search easily on keywords. That is great. It also has something called "stats" and it runs much faster. Within minutes, it gives the data from a very large set. Spunk's dashboards are also a very good thing. No other application or tool is as versatile in presenting the dashboard. It all comes down to presentation. It may take a little bit of engineering work to develop and customize, to parse the fields and fetch the data, but the presentation is good.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
SaravanaKumar1 - PeerSpot reviewer
Principal Consulting - Cloud & Infrastructure Services at Fourth Dimension Technologies
Real User
Top 10
The solution enables us to create custom dashboards and queries to effectively meet our customers' needs
Pros and Cons
  • "Splunk allows us to customize processing and dashboards, which helps us take care of our customers' needs."
  • "The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management part."

What is our primary use case?

Our technical teams are demoing various enterprise tools to develop experience and knowledge so we can better serve our clients. In addition to Splunk, we are evaluating IBM QRadar and one other solution. One of our customers is asking about the Splunk MSP model.

How has it helped my organization?

Splunk allows us to customize processing and dashboards, which helps us take care of our customers' needs. Splunk is costly, but it's better than other products. It speeds up security investigations. It helps us detect threats faster. Everything is faster. The only part that's lagging is the management. Otherwise, Splunk is good. It took about a month to realize the solution's benefits. 

We get few alerts except for the other solutions we have integrated with Splunk. We'll monitor those alerts and support their customers, but we don't have any other mechanisms for databases or something outside of the infrastructure. 

What is most valuable?

Splunk enables us to customize dashboards and queries, and we can add multiple admin users. We only use the essential parts, including the MITRE ATT&CK framework capabilities. Organizations share threat information under the MITRE ATT&CK framework. We do threat hunting and marketing based on that.

We do manual threat hunting. We get all the IP addresses and check the threat databases to determine if it's malicious. 

What needs improvement?

The algorithms and alerts could be improved. I would also like to pre-build use cases. We need to create the algorithm based on our use cases. 

The threat management part is still lagging. There are some gaps in threat management. Other vendors have built-in threat management systems, but Splunk lacks the threat management component in its portal. The UEBA and everything else is perfect, but it lacks a unified threat intelligence and management feature. 

We've also had problems integrating the solution. We get multiple errors, like search log errors, UI errors, etc., and performance issues. It's fine with basic content, but if we're dealing with multiple data sources and 30 GB of data, it cannot handle the load. Our customer is indexing around 10 GB of data daily, and I can't search the log without getting errors. 

What do I think about the stability of the solution?

Splunk Enterprise is stable. 

What do I think about the scalability of the solution?

Splunk Enterprise is highly scalable. 

How are customer service and support?

We haven't had to contact Splunk support because we can find all the answers we need online. 

Which solution did I use previously and why did I switch?

We also use IBM QRadar.

How was the initial setup?

Deploying Splunk is straightforward. We had no issues. 

What's my experience with pricing, setup cost, and licensing?

Splunk is more expensive than most solutions, but it offers lots of value. If a customer wants the cheapest solution, we'll use that.

What other advice do I have?

I rate Splunk Enterprise Security an eight out of ten. I would give it a ten if it had built-in threat management. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: February 2024
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.