Splunk Enterprise Security Reviews

We deploy Splunk for law enforcement agencies facing attacks from threat actors in China, Iran, and Pakistan. It helps plug the gaps because Splunk can easily identify malicious traffic.

In this instance, Splunk was only deployed for a specific department, not the entire ministry. However, this department has multiple cloud clusters for their operations, storage, and computing. Splunk is monitoring all of these clusters. It started as an on-premise solution, but then the department decided to go for cloud-based services that require a connector. Now, it's more of a hybrid solution.

 We face a lot of government-backed threats from India's neighbors, so threat intelligence can provide us with the information to take preemptive steps to stop the attacks. We were able to configure our network and the gateway firewalls. So that helped us overall.

We use the threat topology and MITRE ATT&CK features to compile our quarterly reports, but the leaders of the government departments are hardly concerned with these things.  They only respond to certain keywords if you highlight them. However, if you explain that something is an IOC according to the MITRE ATT&CK framework, they won't understand the jargon. They don't have the technical knowledge to comprehend MITRE ATT&CK. A private organization might have that capability. Government agencies may go for a full-fledged enterprise solution, but there are many features they don't understand or want to use. 

We still need to use manual techniques to investigate threats. Once, we had to look for devices that were infected, and we manually located the threat because the attacker had used a particular telecom handle to steal the data. In that sense, we did it manually but used Splunk to find the threat actor and the credentials used in the attack. The investigations were also quicker because we had the necessary information on hand. 

Resilience is essential, but it's something that can't fall entirely on a solution. Information security is the responsibility of every employee. While a cloud system doesn't go down easily, on-prem environments are more vulnerable.

Splunk has an excellent threat intel feed, so we can get the latest IOCs. The threat intel service enhances the threat detection capabilities because the solution is purely based on threat intel. They gather each threat intel from the dark web and the other areas of the internet. Once the integration is done, it's much more helpful than the traditional Splunk features, which may yield limited visibility. Splunk isn't purely a threat intelligence solution, but it may not have feeds at that frequency.

The threat detection capabilities are excellent, but it depends a lot on the configuration. If we can't configure the indicators of compromise correctly, then it becomes difficult for Splunk to evaluate a threat. For example, let's say a user is accelerating some data through the email gateway, and the gateway isn't being monitored. Splunk can't do anything about that because it requires a gateway monitoring system to be installed. Splunk is only aggregating the events coming in, and it cannot find the exact DLP agent. The DLP logs need to be forwarded to this Splunk connector.

The ingestion happens quickly, so you can run up the data costs if you use the default settings. It isn't a problem for government agencies in the Saudi market, but many of the corporations in India are small or medium-sized enterprises that cannot afford that kind of ingestion system.  

Splunk needs to be tweaked in JSON so you can limit what is coming from the endpoints, especially the events. One needs to filter that out so that only certain events are ingested, like login failures, Active Directory changes, password reset requests, privilege modifications, etc. Each Windows machine generates about 310 KB of information per event, but we can tweak that down to about 50 KB.

I have been using Splunk for five years. 

Splunk is stable. We haven't had any downtime or performance issues. 

I rate Splunk support 10 out of 10. Splunk has lots of training materials online where our engineers can learn at their own pace. The courses are easy to understand and use simple language. You don't need to learn Java queries. The main reason we rejected QRadar was the fact that it is such a closed solution. If you want to learn something, you have to contact IBM support and request the materials. 

Positive

I have worked with ArcSight, and Palo Alto has a good SIEM solution. ArcSight's UI has some drawbacks, whereas Splunk is easier to integrate and implement. ArcSight's interface didn't impress me. I didn't like the way you have to write queries. It was a tedious solution to use, and it was not pleasing to the eyes. The charts and reporting were not visually appealing. 

ArcSight was also a costly solution, but the main reason I wanted to switch to Splunk was that it was easier to integrate. It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query on Splunk. The resolution time is about the same, but it took longer to discover the issue with ArcSight. Our previous solution took about an hour or more, but Splunk can do it within a few minutes or an hour at most. 

Splunk can be an expensive solution. It all depends on how we configure the alerts and the events from the endpoints. You can save some money if you do that correctly. If not, it becomes an expensive solution.

If you don't have the money, you can go for an open-source solution like RedELK, which is based on Elasticsearch. It's cheaper, but you have a lot of support issues. There are no security upgrades. Those are not well supported. If somebody has a basic understanding of the technology and the necessary budget, I would say stick with Splunk. Its ease of use is attractive to an engineer.

I rate Splunk Enterprise Security nine out of 10. There's always room for improvement. 

We provide services to our clients as a security operations center and we utilize Splunk Enterprise Security for enterprise security purposes, encompassing various use cases based on client requirements. These include network attacks, malware-related attacks, inbound traffic-related attacks, recurrent activities, web-related detections, internal detections related to root flows, and service account-related use cases.

We are working to secure the enterprise's networks, devices, and infrastructure, as well as enhance overall security. Our goal is to monitor and protect against all types of external cyber-attacks. We will diligently monitor the systems and address any issues at the earliest stage possible.

Splunk Enterprise Security can be deployed both on-premises and in the cloud. We have primarily deployed the solution on Splunk Cloud.

We utilize Splunk Enterprise Security for monitoring multiple cloud environments. By employing an API, we can deploy various forwarders within Splunk. These forwarders gather logs from diverse cloud sources and other types of sources. Consequently, we have the ability to install an API from the Splunk store, enabling us to seamlessly connect with cloud sources such as CloudWatch, AWS, and other similar platforms. Splunk Enterprise Security offers comprehensive visibility across numerous environments.

Splunk Enterprise Security offers excellent threat detection capabilities to help our organization identify unknown threats. Additionally, we utilize threat feeds that index various anomalies. We have integrated threat intelligence platforms, which provide indicators such as advisories and engagement in case of compromises and attacks. This integration assists us in preventing attacks within our environment. Initially, we can obtain this information through the threat feeds. Consequently, we can restrict and block operating systems either within Splunk itself or through other security tools.

We also utilize threat intelligence. We have access to threat feeds from various sources, such as VPN. The threat intelligence management feature allows us to collect detailed information in the event of a data breach affecting an organization on other websites or within the dark web itself. We receive such information, along with details of any attacks or incidents occurring in different environments worldwide. We can obtain these threat feeds instantly through the cyber news channel mentioned.

The threat topology and MITRE ATT&CK features are integrated, allowing us to obtain the tactics, techniques, and processes necessary to solve any remediation process. By deploying the TTP MITRE ATT&CK framework in any use case, we can acquire a detailed explanation and determine the appropriate course of action to follow. Checking the MITRE enables us to easily resolve and remediate any issues. This helps us address any errors or crashes effectively, by following the simple steps outlined by MITRE. It allows us to easily identify and rectify issues, without the need to involve a senior person if they are unfamiliar with the specific use case. Additionally, it enables us to quickly verify and provide remediation, specifically tailored to the respective team that needs to take action.

Splunk Enterprise Security's ability to analyze malicious activities and detect breaches is advantageous to me. When compared to other tools I have used previously, it involves a straightforward SQL query, allowing me to quickly modify the reports in less than five minutes.

Splunk Enterprise Security has helped us detect threats faster. We can integrate multiple security tools, and we can retrieve logs at any time using simple queries, utilizing various indexes and forwarders. These components handle log parsing and aggregation, enabling us to easily identify all the security rules detected using Splunk. For instance, if we provide a hostname or IP source, we can obtain a list of the security details detected in that specific instance.

Splunk Enterprise Security has helped our organization reduce the threats and breaches from security attacks across various threat factors.

Our clients quickly realize the benefits of Splunk Enterprise Security, which is why they have continued to use it for so many years.

Splunk Enterprise Security has helped us reduce our alert volume. The total reduction in volume depends on the new use cases or devices that are onboarded. Initially, there may be a high alert volume, but we will analyze and work based on those alerts. Through this process, we cannot definitively state the exact percentage reduction, but it does significantly reduce the number of false positives in the environment, thanks to fine-tuning the use cases.

Splunk Enterprise Security has helped accelerate our security investigations. Splunk also offers the Phantom SOAR, although I am not currently utilizing it. However, I am familiar with the Splunk platform, which can automate the process and promptly detect and block various types of actions. We can also easily analyze the Splunk programming language.

Splunk can save our analysts ten minutes of additional time compared to our previous solution when resolving alerts, provided that we have the necessary query knowledge. 

Recently, Splunk upgraded to version 9.0.02, which includes excellent data dashboards and visualization effects. This upgrade makes it easier for me to implement all the dashboards. I have created a dashboard that showcases all the VPN monthly data in one place, which is a beneficial feature of the new visualization effects.

There are deployment servers and other servers, and sometimes Splunk may encounter issues if there are non-reporting devices. We will receive alerts only for the administrators and deployment servers, but not for all servers.

When upgrading Splunk, we encounter certain issues. For instance, it does not accept older versions of the other tools we use. This is the main problem. For example, if we are using a ticketing tool or any other XDR or EDR solutions, we need to upgrade them when we upgrade Splunk. During this process, we will encounter some difficulties, resulting in delays. Ideally, the upgrade process should first accept the current versions and then prompt for an upgrade, allowing us sufficient time to upgrade the other solutions. This helps ensure business continuity, although it may introduce some delays in upgrading all these processes.

I have been using Splunk Enterprise Security for five years.

Splunk Enterprise Security is stable.

We are satisfied with the scalability of Splunk Enterprise Security. It can increase its capacity and functionality based on our demands.

Splunk technical support is good.

Positive

I used ArcSight for Level 1 monitoring in my previous company, and my current company was using Splunk Enterprise Security when I joined.

We have witnessed a 60 percent return on investment due to the security that the solution offers to our organization.

Unlike other security tools, Splunk provides a fixed amount of gigabytes per day, and we are required to pay for any additional usage beyond that limit, in addition to our monthly cost. I believe this pricing structure is reasonable for medium and large organizations.

I rate Splunk Enterprise Security nine out of ten.

An organization that wants a CM solution but prefers to go with the cheapest option may work for a small organization, but not for medium and large ones. Splunk Enterprise Security is worth the cost for larger organizations.

Splunk Enterprise Security is deployed in a single location where it collects logs from various assets, infrastructure, and security tools. It serves as a monitoring tool, allowing us to view all the logs in a unified platform, including security tools, network scanners, portability management tools, and other infrastructure components such as Windows servers, Mission servers, and devices. Integration of these components occurs through different platforms like SCM or other platforms, enabling us to monitor everything in a single user interface using Splunk.

Maintenance is necessary for updates and patches. Additionally, we must be prompt with deployments as we need to monitor the health checks of the devices reporting to Splunk. It's crucial to remain active in this process to avoid any potential impact, so we should be mindful of that. Two admins are usually enough for maintenance, and if we encounter any issues, we can contact Splunk client support.

Resilience is important to capture all threat activities and threat speeds, such as IOCs, but we primarily focus on the ESF application. We integrate various threat intelligence platforms, including Splunk, which provides threats from different sources.

I recommend Splunk Enterprise Security as long as it fits within the budget.

Splunk Enterprise Security's single pane of glass enables us to easily monitor everything from one centralized location. Additionally, with its simple query language, we can retrieve all the logs in one place and generate reports quickly. This is exactly what security personnel require: fast reports and comprehensive log monitoring. It allows us to efficiently check all the security tools simultaneously. 

We have an engineering team working on the back end to receive data, they do data modeling, and create dashboards. That's been pretty useful.

Splunk Enterprise Security helped our organization a lot. In the past, we relied on every single product that had its own kind of audit trail information. We needed to go and look for it, for example, in the Windows environment. We have to use the event viewer a lot to look for certain things, like system applications and security logs. In Linux, we have to use the log file, and under certain applications in the Linux environment, we have to look at the logs for that as well.

That's just part of the operating system. It is not the infrastructure, like network devices. When we centralize logs, we put everything in one location. 

Our advanced users can do the SPL query anything they want. Executives or higher-up management users need to look for certain things, like how many systems are missing patches for this month or who logged in today from where, what they did, and how often they re-authenticated to the systems. 

We have a lot of data from businesses, data from our devices, and more. When we put it all in the ES, it gives us the ability to look at certain functions. It provides more insight into our data, where it's traveling from, between endpoints, and what they're doing with it. 

We also look into performance. We use other monitoring tools as well, and that data is also piped into Splunk. We have a centralized platform that we can navigate to look for everything we need rather than having to go to each individual system, like Cisco Syslog or we have to go to the Forcepoint console to look for it. It is a centralized platform that gives us more insights into our data or what's happening in general. 

It is very important that Splunk Enterprise Security provides end-to-end visibility into our environment because, at any given point in time, we want to know what's happening to the data. Data privacy is the primary concern. We want to make sure that authorized users get access to what they are authorized to so that data would not leak out or travel from a different path. Again, we get a lot of data in there. We understand more about our data to improve the business in certain aspects.

We know that during certain times of the day, a lot of people access a server or website.

Then it'll give us more insight about where we need more network bandwidth or where we need to upgrade network devices. We understand more about our data, like how many people access the data lake house. And that's just for performance. 

On the security side, we would know who's accessing it from where. Are they authorized to do so, or is there any weird access pattern in locations that they're not supposed to be in?

So again, we get the data, we centralize it, and we can do data mining. We can pull out anything from there rather than looking all over the place, like, "I want to find out if he's working today if someone's using his account, or from which devices he accessed data from two different places."

From Splunk Enterprise, we can either do it manually or have our engineers create an audit dashboard. Or, if you are an advanced user, you can do SPL queries that will give you anything you need.

The alert volume depends on the users. If they do what they're supposed to, then there's nothing to talk about. If not, it's more or less on how you manage the data, educate your users, and control your system. Based on that, Splunk might play zero, fifty percent, or seventy-five percent role.

In a way, it has helped improve our organization's business resilience. It's a way for us to predict the pattern of data access and other things going on.

Knowing a way to do that, if we have enough resources to do it, is fine because we have so much data, but no one's really monitoring it. If we get alerts in the middle of the night and we don't have anyone to handle it, it's not going to help.

It's another aspect that we worry the most about, where our data is floating. 

Now that we've centralized our log information into Splunk, we want it to be secured well because now users can predict a pattern of data access from where, and from whom. 

We put all of our logs and data into Splunk, like network switches, firewalls, and web-based protection. In general, every component within the infrastructure sends data to Splunk. 

Then, we have an engineering team transforming, manipulating, and analyzing the data to create a front-end dashboard in a meaningful way.   

With the new announcement of version eight, it's going to give us a single point-and-click. On the front page there, that will give us a whole lot of information that we need to look into on the right panel without navigating down or going to more details, clicking here and there.

We've been using it for quite a few years now.

The solution of choice depends on the engineers and teams. If they manage Linux, they're comfortable with certain tools to read the logs. In a Windows environment, it depends on the engineers. They favor any certain tool; they would do it, but it would be to cut down costs and consolidate all the software strings.  

Splunk was not that big years ago. But then we started seeing that they put more investment into it and made the tool more useful.

We're not using the cloud version yet. This is just the enterprise product on-premises.

Splunk can improve the pricing. People like certain features, and sales use the features that they provide, the automated features, to hook customers into paying for the big-price license.

Everyone does it, like Microsoft and Cisco. Initially, you try out the free version, but once you get it in your shop and turn it into production, you start relying on it and don't want to get out. You start paying a lot more for it.

Splunk is on the right path. It's good, but it does not provide everything that we need. There's a lot more to it. I look at it as ideal for detecting in real-time, but we're always behind and just look at the log information. 

If you have a network device, a Splunk Enterprise instance, and you have to send data to it. You're relying on network connections. 

If you're using a cloud service or anything where Splunk is not on-premises, there's high latency. If that network connection is down, that's it. You don't know what's going on. So even if you have it on-prem, you're still relying on it after the fact. 

When you look at Splunk, you're looking at things that have already happened. It's nothing that's actively going out there and doing something for you. 

If you had to give it a number, from one to ten, since they've gone this far, I'd give it a five or six. Because locking or monitoring is just a part of business, and how you're going to receive those alerts and act on them is another part of it, when I look at the overall infrastructure and infrastructure management.

I have used the solution in my company since I was an admin for Splunk. Most of the people involved in the use cases associated with the product are those in the SOC team.

The tool has helped us to identify and analyze the possible threats. The product helps identify threats and do further investigations.

In terms of the benefits I have seen from using Splunk Enterprise Security, I would say that we are still working on implementing Splunk tools.

The most valuable feature of the solution is correlation searches, which allow you to easily find threats and other such areas.

It is really important that Splunk Enterprise Security provides end-to-end visibility into our company's environment, as it can help save time and make the response faster.

Splunk Enterprise Security has helped improve our organization's ability to ingest and normalize data with the use of data models and Splunk CIM.

The tool has helped reduce our company's alert volume as the identification process is fast.

Splunk Enterprise Security provides our company with relevant context to help guide our investigations. Any incident can be resolved in a minimal amount of time than expected, and we can get more information about such incidents. It can be resolved mostly on the same day and even in a few hours.

Splunk Enterprise Security helped reduce mean-time resolve. It has also helped improve our organization's business resilience. Considering the tool's ability to predict, identify, and solve problems in real-time, I would say that it keeps our company safe.

Splunk's unified platform helps consolidate networking, security, and IT observability tools. I cannot provide too many details because I am not working directly on the analytics part.

I think in the near future, we want to have Splunk Enterprise Security complemented with Splunk SOAR because we have been checking the administrations. It is pretty cool, considering the things that you can do with Splunk Enterprise Security and Splunk SOAR together.

Resource usage can probably be described as an area with shortcomings in the product where improvements are required.

Our company just saw the latest version of the tool here in the Gulf. I am not sure, though, about it because what Splunk showed us was really impressive.

I have been using Splunk Enterprise Security for five years. My company is a customer.

It is a stable solution. At my company, there are two Splunk admins. Splunk is so stable that though there are two Splunk admins in the company, nobody complains that something is not working. Stability-wise, I rate the solution a nine out of ten.

Scalability-wise, the tool is awesome since you can add or reduce your resources in an easy way.

The solution's technical support offered to users could be much more. At times, I get answers related to Splunk from the support team, which I feel are available on Google. I rate the technical support a seven or eight out of ten. I feel that sometimes the tool's support team uses Google to provide me with answers.

Neutral

I did not previously use a different solution.

It was harder to get it working and configured correctly in the past. Things have changed a lot since the first version of the tool was released. I honestly feel comfortable anytime the tool releases something new to be deployed or if there is a new upgrade.

The solution is deployed on an on-premises model. I use the cloud services offered by Azure and AWS.

I have not seen a return on investment.

Splunk Enterprise Security is not a cheap product, but I think it is worth every dollar that you pay.

Considering that the initial configuration is difficult, I rate the solution an eight out of ten.

We use the solution for monitoring and detection and for threat hunting.

On the threat-hunting side, we can easily hunt down what we're looking for because Splunk's language parses the data coming in and allows us to utilize it to filter down through the data we need.

I very much enjoy Splunk's robust search nature, which enables me to find the data I want within the data I have. It's helpful for doing an investigation, whether that's an incident response or threat hunting.

It is important to our organization that Splunk Enterprise Security provides end-to-end visibility into our environment. That way, we can see where the data is throughout the entire process, depending on where we are in the incident.

Splunk Enterprise Security has helped improve our organization’s ability to ingest and normalize data.

Splunk Enterprise Security has, by far, the best search capabilities. It ties that into alerts and notables, allowing you to refine what you want to see in your data.

There's been a big push for SBC compute over the ingestion model, which will hamper us. We're trying to increase our search counts with things like risk-based alerting, and I think that change will hinder our process.

I have been using Splunk Enterprise Security for eight years.

Splunk Enterprise Security is a stable solution.

Splunk Enterprise Security is a scalable solution.

I think we recently switched to the SVC pricing compared to the ingest pricing. I don't know if that was the right move for us.

Overall, I rate the solution an eight out of ten.

I work on the engineering side, so we build for the SOC. The use cases revolve around how the SOC can better leverage the toolset and how we can improve the tool for the SOC to better identify threats within the environment.

I have used it in previous jobs and found it very useful there. It's important for our organization to have end-to-end visibility. 

We don't have SOAR products from Splunk. I believe that's an important piece if it is offered with this platform to fully have the enterprise end-to-end visibility. While Splunk's offering is great, and we should consider leveraging it, we do have another platform in place. We need to carefully evaluate how Splunk's offerings integrate into the environment to provide that end-to-end visibility.

From the threat landscape view within Splunk Enterprise Security, it is valuable. The fields that are available provide a high-level overview of what is in front of us and drill down further to see the threat landscape that is in your environment. You can further investigate these threats in the Attack Analyzer. So, even with our current setup, we can achieve a degree of end-to-end visibility and threat analysis within the platform.

Splunk Enterprise Security helped improve our organization's ability to ingest and normalize data.

Before this, we used a different SIEM solution, but there was no visualization to it. Splunk gives us the ability to correlate data from different sources, see it in real-time, pull it all together from different landscapes of data sources, pull it all together, and look at the timelines of events about what's going on. It helps to narrow down quickly.

The recent feature updates with AI integrations are even more promising. I believe these will further enhance the SOC's ability to quickly identify threats and, hopefully, mitigate them before they propagate throughout our environment.

The most valuable feature is the ability to look at threats and link them to the MITRE ATT&CK framework. This helps our staff identify threats within our environment and appropriately landscape them.

Splunk Enterprise Security provides us with relevant context to help guide our investigations. 

At a high level, we can see threat details and then drill down further. It maps to important frameworks, like MITRE ATT&CK, to help us fully understand the origin of threats and where we need to go next to go in our investigative process.

It integrates with other platforms like Attack Analyzer and SOAR, and soon, AI integrations. These will further help us reduce the threat landscape.

We don't have SOAR and AI integrations yet. 

I've been using Splunk Enterprise Security for about a year, but we recently just onboarded Splunk to the organization, so we're still working on permissions that we used at a previous job. 

We're still working on permissions within the organization.

It's a stable product. I've used other SIEMs. It is much easier to navigate. It is more user-friendly. It is understanding SPL (Search Processing Language), coming in, not knowing it at all. 

It is much easier to go to the Splunk documentation, read the Splunk documentation, and understand, "Okay, this is what I'm looking for!" 

At my previous company, they rolled out Splunk and said, "Okay, we're ingesting all the logs in Splunk. Now go and just do it." 

There was no training involved, so I had to go and learn it on my own. And because while the logs were in the environment, I had to just go and go get the logs out of Splunk; I couldn't go to a server anymore or get logs the old-fashioned way. 

I had to learn Splunk quite quickly. It was easy to navigate the documentation, read the documentation, go to the community site, and navigate the community site; getting that information was quite easy. 

So it was a good experience, a much better experience in dealing with some other vendors. I've dealt with things like QRadar, and I had a difficult time even figuring out what their query language was and understanding how to translate that into actually getting a search to pull back data.  

I've worked in some environments where it's been used extensively with enormous amounts of data. 

In my current environment, we're still figuring out how much data to ingest and how it will be managed. We can adjust whatever we want, but it is an enormous amount of it because we are a "Big Data World" now. 

I have used it in environments where we had data lakes upon data lakes. Scalability from Splunk's point of view wasn't an issue. It was able to scale quite easily. 

The issue lies more on the business side like:

• How to maintain that growth? 
• How do you account for that growth? 

I don't think the issue is really from the Splunk standpoint. It's on the business side: How do you make sure you account for that growth in your models?

I had a good experience with support.

Positive

Based on my limited experience, I'd rate it a seven out of ten. However, I have high expectations due to the integrations I see possible, such as SOAR and the upcoming AI integrations. The roadmap for it is out of this world. 

I'm excited to see what Splunk has to offer with the Cisco offerings and the interconnectivity with Cisco.

Our security relies on Splunk Enterprise Security to analyze data models for malware, threats, and MITRE ATT&CK techniques. Pre-built dashboards and multiple correlation searches help us identify anomalies. Any suspicious events flagged by the MITRE framework are categorized and assigned as tickets to our engineers for investigation and mitigation.

Splunk has streamlined our incident response by automating key processes. For instance, alerts trigger upon exceeding three failed login attempts, automatically assigning tickets for review. Similarly, unauthorized access attempts from unfamiliar regions are automatically blocked. These automated data-driven responses significantly improve our overall incident response efficiency.

The customizable dashboards offer great visualization and extra add-ons.

Splunk Enterprise Security helps us to easily monitor multiple cloud environments.

Mission Control lets us monitor and manage our security from a single panel.

Based on my short experience, I would rate Splunk Enterprise Security eight out of ten for its ability to analyze malicious activity.

Splunk Enterprise Security helps reduce our alert volume.

Splunk Enterprise Security streamlines our security investigations by providing a central platform and offering a growing library of add-ons that expand our investigative capabilities.

Splunk Enterprise Security stands out for its ability to integrate with existing security tools, provide informative dashboards, and offer IT Service Assurance functionality that goes beyond basic threat detection to include service performance monitoring.

Splunk Enterprise Security offers a vast amount of information to learn and comprehend, resulting in a challenging initial learning curve.

Extracting logs from Splunk for analysis in other applications is crucial for me. This would allow me to identify correlations between data sets and make informed decisions about next steps. Unfortunately, the current Splunk workflow seems to hinder data verification.

The licensing cost could be more competitive, as some of our competitors offer lower prices.

I have been using Splunk Enterprise Security for one year.

We have encountered issues when updating features where Splunk Enterprise Security doesn't work properly. I would rate the stability of Splunk Enterprise Security seven out of ten.

The technical support team is always supportive but their response time and knowledge can be improved.

Positive

The initial deployment was straightforward.

The license for Splunk Enterprise Security is expensive.

I would rate Splunk Enterprise Security eight out of ten.

We have Splunk Enterprise Security deployed across multiple locations.

The resilience Splunk offers is good.

I recommend Splunk Enterprise Security to others.

Through Splunk Enterprise Security, we have implemented extensive login integration. This allows us to monitor and restrict access for sensitive accounts, such as superuser and master accounts when password rotations occur. If a login attempt is made for such an account, Splunk triggers a real-time workflow that automatically generates a P1 ticket for the Help Desk and IAM Operations teams to investigate and take necessary action.

Beyond real-time monitoring, we have established additional security measures. We utilize locks within JBOS to control manual account check-ins and user server activity, such as password verifications. Splunk ingests logs from any configured PAM solutions, enabling auditors and our technical team to readily access and analyze all privileged activities. We can also generate reports for session management, session logs, and audit logs.

Splunk Enterprise Security can enhance our organization's detection capabilities. While SIEM solutions are essential for most companies, choosing the right one is crucial. Splunk Enterprise Security is a popular option, and its benefits extend beyond technical teams. It can empower audit teams and provide visibility into user activities, including data sharing and out-of-the-box reports. Splunk's strength lies in its flexibility. It can integrate with other tools to fill any gaps in its capabilities. However, relying solely on one tool like Splunk isn't ideal. PAM tools often have built-in auditing and reporting features, but they may not offer the same level of customization or enterprise-wide visibility. This is where Splunk comes in. It provides a complementary solution, offering multiple ways to generate reports and gain insights.

We recently focused on enhancing Splunk Enterprise Security's identity correlation capabilities. This involved integrating it with several chosen applications. One key integration involved moving from Puppet to Ansible for managing privileged access management and performing virtualization tasks. Ansible allows for agentless management, meaning we don't need to install agents on every server. For broader asset management, we leverage CI/CD tools for efficient deployment across all servers. These tools significantly reduce the manual effort required.

Splunk Enterprise Security offers good visibility into multiple environments. However, certain applications in the financial sector, particularly for high-risk activities, still face regulatory or compliance restrictions that prevent them from migrating to the cloud. Despite these limitations, we see forward-thinking institutions like JPMorgan Chase taking the initiative to move lower-risk applications to the cloud. This trend extends beyond finance, with other sectors like healthcare already embracing cloud adoption.

In my assessment, Splunk Enterprise Security earns an eight out of ten for its ability to detect malicious activities and breaches, but only a seven out of ten for taking action.

Once we have an enterprise version set up, Splunk handles the initial identification steps of potential threats, saving us manual effort. I'd even rate Splunk a perfect ten for this initial phase. However, subsequent action items still require manual intervention – a bottleneck we can minimize with additional tools like endpoint security threat analytics that integrate with Splunk. This would enable complete threat modeling, including asset identification and mitigation directly within Splunk. Unfortunately, our company hasn't invested heavily in threat modeling, with a limited team compared to the larger IAM and risk groups. Thankfully, the industry is recognizing the importance of threat modeling, leading to increased hiring in this area.

Splunk Enterprise Security has significantly reduced our alert volume. This has freed up a substantial portion of the IM operations team, who were previously tasked with continuously monitoring for threats and anomalies across various applications, not just spam. By leveraging these threat detection tools, we anticipate being able to reduce IM operations staff by at least 50 percent.

Splunk Enterprise Security facilitates the acceleration of our security investigations, reducing the required time from one week to one day.

One of the features I appreciate most is privileged account threat detection. It identifies suspicious activity associated with fraudulent accounts detected on the endpoints of target systems.

Furthermore, the platform offers threat analysis and reporting that leverages Splunk data. This allows for the detection of irregular user access from machines directly. This functionality is crucial in large PAM environments with thousands of users, as it identifies inactive accounts.

For scenarios where users might not access the PAM portal to change passwords, different policies are implemented. Splunk plays a key role in detecting irregular user activity. By establishing a three-month threshold, we can identify cases where users haven't used their accounts despite not being on leave or vacation. Such instances warrant investigation to determine the continued need for privileged access.

We can automatically suspend or terminate suspicious sessions. We have also customized reporting within Splunk.

There are limitations with Splunk not detecting all user activity, especially on mainframes and network devices. This is because Splunk relies on agents, which cannot access certain workstations. In these cases, we have to rely on application data. For example, with mainframes, manual reports are generated and sent to Splunk, limiting visibility to what's manually reported. This lack of automation for specific platforms needs improvement from Splunk. Additionally, API access is limited for other applications that rely on API calls and requests. This requires heavy customization on Splunk's end. These are the main challenges we've encountered.

Monitoring multiple cloud platforms, like Azure, GCP, and AWS, with Splunk Enterprise Security presents some challenges. While Splunk provides different connectors for each provider, consolidating data from two domains across distinct cloud environments can be complex. However, leveraging pre-built templates and Splunk's data collation capabilities can help overcome these hurdles. Despite initial difficulties, I believe Splunk can effectively address this task, earning it an eight out of ten rating for its multi-cloud monitoring capabilities.

While Splunk Enterprise Security offers insider threat detection capabilities, its effectiveness could be enhanced by integrating with additional tools, such as endpoint security solutions. This integrated approach is particularly crucial for financial institutions, which often require dedicated endpoint security teams. While using multiple tools is valuable, further improvements within Splunk itself are also necessary. Considering both external integration and internal development, I would rate its current insider threat detection capabilities as three out of ten.

Threat detection is where Splunk falls behind. While it offers tools, other use cases require additional work. PAM is an enterprise tool that centralizes information about users, servers, and everything else. It needs real-time monitoring, which I haven't seen in any of the companies I've worked for. They only rely on Splunk for alerting, but real-time monitoring should be handled by the endpoint security team's tools. This means there's no detection or analysis at the machine or endpoint level. Additionally, threat analysis reporting is also absent.

I currently use Splunk Enterprise Security.

Splunk Enterprise Security's scalability and ability to handle large data volumes is great. Splunk can manage a lot of users and applications. I would rate the scalability a nine out of ten.

The technical support is a bit expensive but they respond quickly.

Positive

Splunk Enterprise Security is expensive but the solution is equipped with a lot of features.

My rating for Splunk Enterprise Security depends on the type of logs being analyzed and the company's specific environment and setup. If a company is actively comparing Splunk to competitors and their environment aligns well with Splunk's strengths, then a score of nine out of ten is justified.