Splunk Enterprise Security Reviews

My main use cases for Splunk Enterprise Security include cybersecurity threat, incident response, and security events.

The features I find most valuable in Splunk Enterprise Security are Incident Review, Security Essentials, Asset and Identity Management, and Machine Learning Toolkit. 

We are enriching data from Asset and Identity Management, and we have more data for our incident response and investigation with Splunk Enterprise Security when we need more data to investigate.

I use disparate security solutions that integrate or import data into Splunk Enterprise Security. The integration currently supports my security operations as it's now on a POC, however, it's not in production right now. 

I have expanded usage, and that process was very smooth. I assess the stability and reliability of Splunk Enterprise Security as very good.

Splunk Enterprise Security can be improved with more AI in the commands and more help in the commands, as not all people know how to write code in SPL, and we need more help in this area. 

That additional features such as AI command help and more flexibility in the search should be included in the next release to make it more simple.

The most significant challenges I face when using Splunk Enterprise Security for advanced threat detection involve correlating data from multiple assets and networks simultaneously, as our network is very complex and we have not yet properly collected all the data from our various data centers within my environment.

I have been using Splunk Enterprise Security for five years.

I have not experienced any downtime, crashes, or performance issues; it is very redundant.

Splunk Enterprise Security scales very well with the growing needs of my organization.

I evaluate customer service and technical support as very good.

Positive

Prior to adopting Splunk Enterprise Security, I was not using another solution to address similar needs.

I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security very simple and straightforward.

I have yet to see an ROI.

I'm not famiiar with the pricing. 

My organization does not use risk-based alerting yet. My security ops team takes 60 or 70% longer to remediate security incidents with Splunk Enterprise Security compared to our previous solution.

The advice I would give to other organizations considering Splunk Enterprise Security is to design, design, design, and design. Expanding on what that means, you need to be very organized with what you want and what you want to achieve from the product because the deployment is very crucial; once you install it, it's very hard to change the topology and to add more tenants or search heads, which is very complex. The vendor can contact me with any questions or comments about my review. 

On a scale of one to ten, I would rate Splunk Enterprise Security overall an eight.

My main use case for Splunk Enterprise Security is getting observability and insights in order to meet compliance objectives.

I appreciate the integrations with the SOAR architectures and the expandability that can be used throughout the entire ecosystem of Splunk Enterprise Security. They've improved my threat detection capabilities.

The system can be intimidating, and sometimes the concepts conveyed in the documentation require adjustment. The product is mature and continuing to mature. There could be a better opportunity to let larger groups outside of the community know about the ease of deploying the product.

I'm finding that newer generations, including my own, don't respond well to TL; DRs that often come from third parties and are often incorrect. If there was more of a quick answer, perhaps with Splunk AI, they could start implementing that on the documentation page to let people who have trust in that get a quicker answer.

Professionally, I have been using Splunk Enterprise Security in the last one to two years. Personally, I've used it several times as a hobby product and competitively in cyber games.

The product is mature. 

I don't directly deal with technical support.

Positive

Prior to adopting Splunk Enterprise Security, I was using another solution to address similar needs, however, I can't go into details.

I would describe my experience with deploying Splunk Enterprise Security as one that needs some more hand-holding. Some aspects of the language and understanding can be challenging for individuals unfamiliar with Splunk. There are opportunities to improve that dissemination.

With training, I find deployment relatively easy. There's some self-service that has to be done as a user in terms of learning and understanding the product. Once you understand those workflows, it presents as a relatively easy and intuitive product to expand and grow into.

I have seen a return on investment with Splunk Enterprise Security. It's a useful system, and I would highly advocate it with any Splunk deployment.

I'm not involved on the licensing side. 

The features that have been demoed and debuted in Splunk Enterprise Security are of particular interest, and I'm interested to see where that journey continues. I find the process for customizing, developing, testing, deploying, and refining detections in Splunk Enterprise Security relatively easy with training.

My advice to other organizations considering Splunk Enterprise Security is to try it. I would suggest getting a demo from Splunk as that's the worthwhile approach. It's better to see all the powers that this tool can bring in terms of those capacities rather than trying to figure it out on your own journey.

I would rate Splunk Enterprise Security an eight out of ten. The only reason for this rating is, from an outside-in perspective, as someone who hasn't spent time either deploying it themselves or learning more of the nuances of how clustered designs work, it can be an intimidating experience and requires a lot of hand-holding. This creates a barrier to adoption.

We are an MSSP, and some of our customers have Splunk Enterprise Security, and we run it for them.

Splunk Enterprise Security is very good for helping us find any security event across multi-cloud environments.

Splunk's unified platform works very nicely to help consolidate networking, security, and IT observability tools.

It helps speed up security investigations. There is a 25% to 30% improvement. There is also a 25% reduction in the mean time to resolve, but we are also using a SOAR tool, which reduces that by 70% to 80%. 

They have approximately 50,000 predefined correlation rules, which is quite a lot, and I find that good.

It is very complicated to write your own correlation rules without the help of Splunk support.

What Splunk could do better is to create an API to the standard SIEM tools, such as Microsoft Sentinel. The idea would be to make it less painful. In ELK Stack, Kibana is the query language with which you can search log files. I believe Splunk has also a query language in which they search their log files, but once you have identified the log file that you want to use for further security correlation, you want to very quickly transport that into your SIEM tool, such as Microsoft Sentinel. That is something that Splunk could make a little bit less painful because it is a lot of effort to find that log file and forward it. An API with Microsoft Sentinel or a similar SIEM tool would be a good idea.

I have used the solution for about five years.

It is very stable. Sometimes it can be sluggish, especially in completely virtualized environments, but overall, it is good.

I would rate it a nine out of ten for scalability. They struggle a bit with pure virtual environments, but in terms of how much they can handle, it is pretty good.

Based on what customers tell me, it has been good. If you want to write your own correlation rules, it is very difficult to do, and you need Splunk's support to write new correlation rules for the SIEM tool.

Positive

In our organization, we use our own tools such as Kyndryl Bridge and Elastic. We use Kyndryl Bridge which essentially has a similar function. It is based on Elastic. It indexes log files and flags log files. It helps you to very quickly search log files similar to the Splunk algorithm.

Our clients use Splunk Enterprise Security. If somebody already has Splunk as a business intelligence tool, then very often, it makes sense to expand the Splunk subscription they have to include Enterprise Security as well. We base our decisions on customer requirements, not on anything else. If a customer comes to us looking for a SIEM solution, we advise them based on their infrastructure and objectives. If we deliver the service for them and they want us to do that, we mostly go with Microsoft Sentinel when they already do not have Splunk. Otherwise, we go with Splunk Enterprise Security. We have about 30 customers in Germany who have Splunk, and we run it for them.

Monitoring multiple clouds with Splunk Enterprise Security is no more difficult than it is with Sentinel. I find Sentinel a bit easier. Splunk, of course, is very useful if you have AWS. Generically, because Splunk is not a cloud provider itself, it fits with anything. However, integration can be challenging at times, especially in virtualized environments. Splunk struggles a bit with speed in virtualized environments. Most importantly, Splunk can be outrageously expensive. That is the problem with both Splunk and Sentinel. Their pricing literally explodes based on the amount of data you feed in.

I like Elastic SIEM. It is a tool that allows you to determine the price. It is based on the computing power you require and not on the amount of data you put in, so it is a lot more flexible than Splunk or Sentinel. If there is a cost concern, Elastic SIEM is a good idea. Elastic is also pretty good at creating on-premises data lakes to control the amount of information you put into the same tool. That is something that neither Splunk nor Sentinel offers. 

In our operations, we use a separate threat intelligence vendor. To the SIEM tool, we added a SOAR tool for security orchestration, automation, and response, which is very critical these days. We get threat intelligence from a third-party provider because neither Splunk nor Microsoft gives the coverage that our customers need. Splunk does not have a SOAR capability, so we add that on top. We could add that on top of any tool, so it is not specific to Splunk, but Splunk helps because going through the log files is very fast. It does help when you do the incident analysis. Elastic also provides that, and Sentinel has that to some degree, but Splunk is still the Google for log files.

MITRE ATT&CK framework is integrated pretty much into any SIEM tool. It is not unique to Splunk. It is there in QRadar and other solutions. MITRE ATT&CK framework is helpful when designing incident response plans or playbooks. It is nice that they have it, but that is nothing unique to Splunk.

It is mostly a cloud solution.

The pricing is based on the volume of data fed into it, which can lead to substantial costs. This pricing model is complex and unpredictable, making cost management difficult.

Many parts of the IT world price based on IP addresses, nodes, or the number of devices. Splunk, of course, prices its services based on the volume of data submitted into the Splunk system. From a security perspective, it is very hard for clients to figure out how many security events per second their SIEM tool needs to work with. With Splunk, it is not just the events per second. They also need to know how much data per event per second the Splunk SIEM tool needs to work with. That is almost impossible to indicate.

Microsoft Sentinel is just as weird as Splunk. They also base the price on the amount of data you feed, whereas Elastic has a very interesting approach. It is not the amount of data you feed in; it is the amount of processing power you want to use. If you have a very large amount of data and want to correlate that very quickly, you need a lot more processing power. They base the pricing on processing power rather than on the amount of data. That is not a bad approach because that is scalable up and down depending on the needs of the organization, so the pricing from Splunk is a bit weird. That is what most people that I speak to are unhappy about because the cost can literally explode. I saw clients spend two million dollars a year just feeding data into the Splunk solution. You might have spent two million in feeding data into the SIEM tool a year, but the next year, it could be half of that. You find yourself frequently in an unpredictable situation of how much cost you are going to generate with your SIEM tool, so Splunk or Cisco needs to come up with a better and more scalable way of pricing their SIEM tool.

Overall, Splunk is among the top three SIEM tools due to its capabilities and agility in bridging business analytics with security needs. They very much deserve where they stand on the Gartner Magic Quadrant. I like it a lot better than ArcSight, which was owned by HP at one point or another. In comparison to that, Splunk is much more agile and quick. It comes from a business analytics perspective. It is a lot easier to build the bridge between the business and security based on that platform. As far as stability and scalability are concerned, it is a brilliant solution.

I would rate Splunk Enterprise Security a nine out of ten.

My main use cases for Splunk Enterprise Security include insider threat hunting, supporting operations, and Threat Intel integration for security; I have a lot of use cases.

The features of Splunk Enterprise Security benefit my organization by providing a faster response and making it easier for the analyst to investigate.

The features I appreciate the most about Splunk Enterprise Security are the Enterprise Security features, the threat intelligence of Enterprise Security, the onboarded ones, and the versioning of the rules introduced on Enterprise Security; these are the top ones.

My organization uses risk-based alerting in Splunk Enterprise Security. Splunk Enterprise Security has supported my SOC a lot, however, we have some challenges due to the architecture of our network, so there is some custom work to be done by Splunk engineers to help us maximize the benefits.

I am using new threat detection features in Splunk Enterprise Security, including the onboard ones and Mandiant. These new features have highly improved our threat detection capabilities.

Splunk Enterprise Security has helped improve my organization's business resilience.

I'm not dealing with pricing, setup costs, or licensing for Splunk Enterprise Security; I'm focused on the technical part. What works with Splunk Enterprise Security is that it does work in general; I haven't faced any challenges; it's great.

Improving Splunk Enterprise Security is a challenging task; I have already reported several technical issues to the relevant teams and received solutions from them.

One favor I ask for them is just to keep maintaining the on-prem version of Enterprise Security and not move everything to the cloud since we operate mostly in an air-gapped environment, so we only use some of the features of it.

Some additional features that should be included in the next release of Splunk Enterprise Security are an integrated Attack Range, not as a separate solution, and providing a way to test the rules in the production environment.

I've been using the solution for 11 years.

I have not experienced any downtime, crashes, or performance issues with Splunk Enterprise Security.

Splunk Enterprise Security scales pretty well with the growing needs of my organization; we don't have issues. I have expanded the usage of Splunk Enterprise Security a lot. The process of expanding usage has been smooth; I have no problems so far, and it scales very easily.

I would evaluate customer service and technical support for Splunk Enterprise Security as fast.

Positive

I would describe my experience with deploying Splunk Enterprise Security as straightforward.

I have seen a return on investment with Splunk Enterprise Security, definitely, however, I don't have the specific metrics to back that up.

The most significant challenge I face when using Splunk Enterprise Security for advanced threat detection is alert fatigue. Although there are ways to mitigate it, it remains a persistent issue, as evidenced by complaints from analysts. While alert fatigue is alleviated to some extent, it still persists.

My advice to other organizations considering Splunk Enterprise Security is to at least give it a try; I know there are other solutions in the market, some of which may even be better than Enterprise Security, however, you have everything on a single pane of glass, so I think it's definitely something that enterprises should test.

On a scale of one to ten, I rate Splunk Enterprise Security an eight out of ten.

Typically, the standard approach for Splunk sizing involves gathering data from the entire IT environment, regardless of whether it's hardware, virtualized, or application-based. This data is then collected and monitored through Splunk as a comprehensive security solution. We also work with Splunk-related platforms like Application Performance Monitoring to provide a holistic view of system performance. Recently, we implemented this solution for a bank in Jetar. Splunk excels at collecting high-volume data from networks, making it ideal for performance monitoring and scaling. During the sizing process, it's crucial to calculate the daily data ingestion rate, which determines the amount of data Splunk Enterprise needs to process and visualize for security purposes. Several factors need consideration when sizing Splunk: tier structure hot and cold buckets, customer use cases for free quota access, and storage choices based on data access frequency. Hot buckets typically utilize all-flash storage for optimal performance and low latency, while less frequently accessed data resides in cold or frozen buckets for archival purposes. In essence, the goal is to tailor the Splunk solution to meet the specific needs and usage patterns of each customer.

One challenge that our customers face is slow data retrieval. Customers may experience delays in retrieving call data due to complex search queries within Splunk Enterprise Security. These queries can sometimes take up to an hour and a half to execute. Our architecture incorporates optimized query strategies and customization options to significantly reduce data retrieval times. This enables faster access to both hot and cold data. 

Another challenge is scalability constraints. Traditional solutions may have limitations in scaling to accommodate increasing data volumes. This can be a significant concern for customers who anticipate future growth. Our certified architecture is designed for easy and flexible scalability. It allows customers to seamlessly scale their infrastructure based on their evolving needs, without encountering the limitations often faced with other vendors' solutions.

The final challenge is complex sizing and management. Traditional solutions often require extensive hardware configuration and sizing expertise, which can be a challenge for many organizations. This reliance on hardware expertise can hinder scalability and adaptability. Our architecture focuses on software and application administration, minimizing the dependence on specific hardware configurations. This simplifies deployment and ongoing management, making it more accessible to organizations with varying levels of technical expertise.

Our architecture leverages Splunk's native deployment features, including: 
Index and bucket configuration. Data is categorized into hot, warm, and cold buckets for efficient storage and retrieval. Active/passive or active/active clustering. This ensures high availability and redundancy for critical data. Resource allocation. Data, compute, and memory resources are distributed evenly across clusters for optimal performance.

For high-volume data ingestion exceeding 8 terabytes per day, we recommend deploying critical components on dedicated physical hardware rather than virtual machines. Virtualization can introduce overhead and latency, potentially impacting performance. Utilizing physical hardware for these components can help mitigate these bottlenecks and ensure optimal performance for large data volumes.

Splunk Enterprise Security provides visibility across multiple environments. IT leaders and management directors often seek a simplified monitoring tool that can handle everything. However, using a third-party tool or a monitoring tool for multiple environments comes with certain considerations. These may include software version upgrades, connector updates, or API integrations for collecting specific metrics beyond the usual ten. Therefore, the key factors for a customer choosing a monitoring solution are, how easily can the tool integrate with existing physical, virtual, microservices, or hyper-scaler environments, whether it can provide a centralized view of monitoring data across multiple environments, and whether it can integrate with existing data analytics tools like Cloudera, Starburst, or Teradata. Integrating a monitoring solution with data analytics is crucial for a complete picture. While a standalone monitoring solution can help with capacity planning, data analytics provides insights for code analysis and historical data. This allows management to plan budgets, reduce costs, and make informed decisions for the future. Combining a monitoring tool like Splunk Enterprise Security with a data analytics engine like Cloudera or Teradata maximizes the value of data and empowers better decision-making.

Our monitoring tools offer various functionalities, including detection and third-party integration. For example, we have an integration with TigerGuard, a platform for threat detection. Additionally, we provide robust auditing capabilities to track changes within the environment. This helps identify potential intrusions and suspicious activity, whether from internal or external actors. To ensure the security of our monitoring tools, we implement several prevention and protection mechanisms. This includes continuous monitoring of logs and audits, even in case of tool failure. Leading enterprise monitoring solutions often connect to dedicated audit servers via SNMP traps, providing a centralized view of all infrastructure changes. This allows administrators, like Splunk users, to easily track modifications and identify potential security risks. Furthermore, individual software products within our monitoring suite have their access control lists and security measures. These may include features like certificates, user authentication, and security manager integration. Additionally, some products offer optional plugins or add-on licenses to enhance their auditing capabilities and meet specific organizational security requirements. Security is a complex and multifaceted topic, encompassing various aspects. This includes data location, user activity monitoring, intrusion prevention, and incident recovery procedures. Addressing these concerns effectively requires a comprehensive security platform assessment that evaluates the entire system, from hardware to applications, ensuring data integrity, encryption, and overall security at every layer.

Threat intelligence management utilizes dedicated tools for both threat and incident management. These tools help organizations define their response plan in case of an event, including how to recover, what the RTO and RPO are, and how to achieve them. This ensures the organization can recover quickly and efficiently in the event of a failure, unauthorized access, or data deletion. While threat incident management strategies may vary depending on the customer, the banking sector typically undergoes rigorous threat management inspections. While I may not be a threat management expert, there are crucial security measures to consider, encompassing personnel training, hardware security, and application controls. These elements, when orchestrated harmoniously, contribute to a secure environment that minimizes the risk of breaches, facilitates successful audits, and ensures data integrity.

The effectiveness of the threat intelligence management feature depends on how the customer responds to various threats, such as ransomware or network intrusions. While the tool provides recommendations, it requires customization to align with each organization's unique categorization criteria like high, medium, low, and specific security objectives. Ultimately, the goal is to protect data, enhance security, and ensure effective incident response procedures. Deploying the threat intelligence tool necessitates customization for each customer. Default settings may not be optimal, as human intervention might be necessary to address potential software errors or inaccurate recommendations. In such cases, manual intervention might be more effective. Therefore, the tool's usefulness depends on the specific threat, its recommendations, and the organization's response approach.

Splunk Enterprise Security is a powerful tool for analyzing malicious activity and detecting breaches. However, its effectiveness depends heavily on proper configuration and skilled administration. They must be able to connect Splunk with the necessary parameters, collect logs daily, and analyze them effectively. They must also have the ability to query Splunk efficiently to gather relevant data, an understanding of use cases and how to integrate with other systems securely, customization of the environment to meet specific needs, including adding connectors and add-ons, and visualization of data in a way that is clear and actionable for both analysts and management. While Splunk is a valuable platform, it requires careful management and expertise to unlock its full potential. Companies deploying Splunk should invest in skilled administrators to ensure its effectiveness in securing their environment.

Splunk helps us detect threats faster. As a Splunk administrator, I can monitor for suspicious activity, such as sudden changes in behavior, high resource utilization on specific file shares, or unusual data transfers. These events can trigger questions, like, Why is the system experiencing high utilization, is data leaking and being transferred elsewhere, why is this application consuming excessive resources, why has data suddenly disappeared from the system? Splunk Enterprise Security provides valuable insights and helps identify potential security issues. However, integrating threat intelligence management with Splunk can further automate this process. When suspicious activity is detected, the system can automatically take predefined actions. However, these actions require customization and testing before implementation. This may involve, customer review and approval of the automated response, POC testing to validate the effectiveness of the response, regular monitoring of the system's behavior and response to threat intelligence, and fine-tuning or customization of Splunk Enterprise Security settings to optimize threat detection and response.

Splunk has been beneficial to our organization from a partnership perspective. Even after Dell's acquisition of Cisco, our strong collaboration and certified solutions continue. This partnership strengthens our position with customers seeking the best solutions on the right platform. For example, if a customer requires a Splunk solution and a competitor lacks certified solutions, it could hinder their trust and purchasing decision. In contrast, our close collaboration with Splunk and certified add-ons for Splunk Enterprise Security adds value. We possess expertise in various Splunk architectures. I've worked with over four banks in Saudi Arabia alone that utilize Splunk and Dell hardware. Globally, we cater to diverse Splunk architectures and platforms, ensuring customer satisfaction with our diverse technology expertise. While we acknowledge competition, the focus here is on how our partnership with Splunk enhances the integration experience, offering both tightly coupled and loosely coupled architectures.

Since implementing Splunk Enterprise Security, we've observed improvements in both stability and the accuracy of data visualization. The low latency allows us to efficiently query the extensive data it provides. Splunk goes beyond collecting basic metrics like CPU or memory utilization; it comprehensively gathers data from various sources, including networks, applications, and virtualization. This unified platform eliminates the need for siloed solutions and enhances the capabilities of existing engineering software. While Splunk is a popular choice for data analysis due to its powerful features, its pricing structure based on daily data ingestion can be expensive. This pricing model, however, allows them to accurately charge based on resource usage. It's important to consider your data collection and visualization needs to determine the appropriate licensing tier. While other monitoring tools might share similar pricing models, Splunk distinguishes itself through its data segregation across various components. This simplifies communication between indexes, forwarders, and searches, allowing for efficient data processing within a single platform. Additionally, Splunk excels in data visualization and analytics, making it a leading choice for security and observability solutions. Their recent top ranking in Gartner's observability category further emphasizes their strengths. This recognition stems from their platform's compatibility with diverse hardware vendors, exceptional data visualization capabilities, and innovative data segregation strategies. Splunk's tiered access control and efficient cold/frozen data storage further enhance its value proposition. Ultimately, Splunk empowers users to interact with their data effectively. This valuable asset, when properly understood and visualized, can provide actionable insights without impacting network or application performance. Moreover, Splunk's customization and implementation potential extend beyond data analysis, offering recommendations and threat intelligence for proactive security measures. In conclusion, while Splunk's pricing might initially appear expensive, its comprehensive features and capabilities justify its cost for organizations seeking advanced data analysis and security solutions.

Realizing the full benefits of Splunk Enterprise Security takes time. While the software itself can be deployed quickly, it requires historical data to function effectively. This means collecting data for some time before you can rely on it for accurate insights. Several factors contribute to the time it takes to see value. First, there is deployment and customization. Setting up Splunk involves hardware, software, and integration, which can be time-consuming, especially during the first year. The second is data collection. Building a historical data set takes time, and the initial period may not provide significant value. There is also customization and training. Tailoring reports and training users requires additional investment, potentially involving workshops and professional services. To expedite the process, Splunk offers various resources including, proof of concept which allows testing Splunk with a limited data set for a specific period. Splunk may offer temporary free licenses for small workloads to facilitate initial evaluation. Splunk provides educational resources to help customers understand and utilize the platform effectively. Additionally, some partners leverage their Splunk expertise to help customers. Partners can educate and guide customers through the process, streamlining their experience, and assist with customizing reports and training users, accelerating the value realization process. By understanding these factors and leveraging available resources, organizations can optimize their Splunk implementation and achieve its full potential within a reasonable timeframe.

Splunk has been recognized by Gartner as a leader in providing visibility for observability and monitoring across various platforms, including physical, virtual, and container environments, for several years. This has made it a popular choice for many organizations, including those in the banking industry. Currently, only one of our banks utilizes QRadar. This may be due to the cost associated with switching from Splunk, which can be expensive. As a result, the customer might be prioritizing financial considerations over functionality at this time. It's important to note that while Splunk is recognized as a leader in platform capabilities, the decision to use a specific solution should ultimately be based on both functionality and cost considerations. This is why we have established a joint engineering team with Splunk to develop a platform that meets the needs of our customers.

I'd like a dashboard that allows me to connect elements through drag-and-drop functionality. Additionally, I want the ability to view the automatically generated queries behind the scenes, including recommendations for optimization. This is just a preliminary idea, but I envision the possibility of using intelligent software to further customize my queries. For example, imagine I could train my queries to be more specific through an AI-powered interface. This would allow me to perform complex searches efficiently. For instance, an initial search might take an hour and a half, but by refining the parameters through drag-and-drop and AI suggestions, I could achieve the same result in just five minutes. Overall, I'm interested in exploring ways to customize queries for faster and more efficient data retrieval. Ideally, the dashboard would provide additional guidance and suggestions to further enhance my workflow through customization and optimization.

I have been using Splunk APM for four years.

The stability of Splunk Enterprise Security depends on how data is tiered. Splunk recommends different storage options based on data access frequency and volume. Hot and warm data: This data is accessed frequently and requires fast storage like SSD or NVMe. Cold and frozen data: This data is accessed less often and can be stored on cheaper options like Nearline, SaaS, NAS, or object storage.

Splunk prioritizes cost-effectiveness and recommends low-tier storage for cold and frozen data, which typically makes up the majority of customer data. This reduces costs compared to expensive SAN storage. However, the decision ultimately depends on the customer's budget and specific needs. Customers with limited budgets or small use cases might choose to store all data on a single platform initially and expand to dedicated cold and frozen storage later. This approach requires manual configuration changes e.g., modifying index.conf and forwarder configurations to redirect data to the new tier.

While Splunk recommends optimal tier configurations for hot, warm, cold, and frozen data, the final decision rests with the customer based on their budget and specific requirements.

Changes to storage tiers can be implemented later through configuration adjustments, but this process might be more complex than using dedicated storage from the beginning.

Overall, Splunk guides the best tier options for different data access patterns while acknowledging the customer's autonomy in making the final storage decision.

We have ambitious expansion plans. As our customer base grows, we see significant increases in data ingestion. For example, one of our largest Splunk customers has increased its daily data ingestion from two terabytes to eight terabytes in just three years. This expansion benefits both the customer and Splunk. The customer gains valuable insights from the additional data, while Splunk increases its revenue through additional license sales. However, it's important to note that expanding data ingestion requires careful consideration of hardware limitations. Increasing data volume necessitates adding more forwarders, indexes, and searches, which can impact Splunk licensing requirements. This highlights the crucial need for comprehensive planning and resource allocation during expansion initiatives. Furthermore, we have observed instances where customers unintentionally exceed their licensed data ingestion capacity. For example, one bank was ingesting six terabytes of data per day while only holding a four-terabyte license. This underscores the importance of close monitoring and proactive license management to ensure compliance and avoid potential licensing issues.

Our expertise extends beyond Splunk. We offer certified architectures for other SIEM solutions like IBM QRadar, catering to diverse customer requirements. However, IBM QRadar does not have as wide of a platform as Splunk Enterprise Security.

Splunk can be expensive, as its licensing is based on the daily data ingestion volume. While we've observed numerous implementations, most are executed remotely by Splunk itself. However, if on-site assistance from a Splunk engineer is desired, it can be costly due to travel expenses from either the Dubai office or Europe. To address this, Splunk is exploring partnerships to offer implementation services at more accessible price points.

For someone evaluating SIEM solutions and prioritizing cost, traditional marketing materials may not be the most effective approach. Customers in Saudi Arabia, like many others, often appreciate tangible demonstrations of value. Therefore, consider offering a POC to showcase Splunk's capabilities in their specific environment. Investing in the customer through various strategies can demonstrate your commitment and build trust. Granting temporary access allows them to experiment with Splunk firsthand. Provide resources and support to help them learn and utilize the platform effectively. Leverage your partner network to offer additional training and expertise. Invite key decision-makers to exclusive events or meetings with Splunk leadership, fostering a deeper connection and understanding. Remember, success often hinges on addressing specific needs. While POCs and business cases are crucial, consider potential customization requirements and existing workflows. If they've used a different tool for years, transitioning may require additional support and training due to established user familiarity. Splunk's investment in the customer journey goes beyond initial acquisition. By offering POCs, temporary licenses, training, and even exclusive experiences, you demonstrate value and commitment, ultimately fostering long-term success. Demand generation, in essence, boils down to two key aspects, Identifying their specific requirements and desired outcomes, and recognizing that different customers have varying budgets, experience levels, learning curves, expectations, and decision-making processes. While some customers may be more challenging to persuade, others readily embrace the extra mile. Enterprise clients often fall into the latter category due to their greater flexibility in resource allocation, dedicated security operations teams, and ability to invest in necessary hardware. Remember, SIEM solutions often involve hardware considerations beyond just software, so understanding these additional costs is crucial for accurate solution sizing and customer budgeting.

Several competitors to Splunk exist in the market, including IBM QRadar, AppDynamics which is used by some customers for monitoring and security, and Micro Focus used for enterprise monitoring, incident reporting, and capacity planning. While Dynatrace is a leader in the field, its presence in the banking sector, particularly in Saudi Arabia, seems limited, perhaps due to having only one certified partner acting as its distributor. In contrast, Splunk boasts a wider network of partners who actively implement and enable customers, leading to its increased market prevalence.

I would rate Splunk APM a nine out of ten.

Monitoring multiple hyperscalers with a single tool can be challenging. While some tools like VMware CloudHealth offer limited cross-platform capabilities, they often focus on specific aspects like virtual instances and storage. For comprehensive cloud monitoring across different hyperscalers like Azure and AWS, third-party solutions are typically necessary. Here at Dell, for example, we focus on monitoring tools for our own workloads and installed base, allowing integration with third-party solutions for cloud environments. This enables customers with workloads across multiple hyperscalers to leverage established enterprise monitoring tools like New Relic, AppDynamics (Cisco), Micro Focus (HP), and Splunk for unified visibility. Ultimately, choosing a solution often involves balancing operational and capital expenditures. By employing third-party tools, organizations can achieve comprehensive monitoring across various cloud environments while potentially reducing overall costs.

We offer various deployment options for Splunk to cater to diverse customer needs and regulations. We can deploy Splunk on various infrastructures, including hyper-converged, bare-metal, two-tier, and three-tier architectures. While cloud deployment is an option, regulations from the Saudi Central Bank restrict customer data storage outside the kingdom. Therefore, most of our customers in the financial sector opt for private or local cloud solutions. While a dedicated private cloud experience for Splunk isn't currently available, customers are seeking access to features like the SmartStore, a caching tier that is now bundled with the Enterprise Security license previously offered separately from version 7X onwards. The chosen deployment approach depends on factors like budget, customer expectations, performance requirements, and compatibility with Splunk's recommended sizing solutions. We utilize both internal sizing tools and Splunk's official tools to ensure proper resource allocation for indexers, search heads, and forwarders based on specific customer needs. We have deployed our Dell servers, storage, and data protection solutions. Additionally, we have implemented a reference architecture. From a hardware perspective, we have everything in place to support Splunk as a reference architecture. This is indisputable, as it reflects our current infrastructure.

I have one customer who uses Splunk on a single site. In contrast, other customers have deployed Splunk in an active-active cluster configuration across two sites, effectively segregating the data across the environments with two-factor authentication. For these other environments, I have observed that each customer has a unique monitoring perspective or performance requirement, reflected in their individual subscriptions.

Splunk is responsible for software maintenance, while we handle the hardware aspects.

Splunk Enterprise Security is one of the most mature security solutions available. While it is expensive, it offers good value by providing the necessary security measurements, monitoring, and auditing capabilities required for running an enterprise environment. 

The combined forces of Splunk and Dell create significant resilience for us. Our joint architecture, strong alignment between the Dell account team and Splunk sales and presales, and collaborative efforts have been instrumental in addressing specific customer needs, such as sizing. This collaboration is mutually beneficial: Splunk focuses on selling licenses, while Dell prioritizes hardware sales. Unlike Cloudera, which optimizes licenses for its platform, Splunk bases licensing on the ingestion rate, demonstrating its alignment with our advanced architecture. This creates a win-win situation for both companies.

My usual use cases for Splunk Enterprise Security include normal reporting.

Splunk Enterprise Security has positively impacted my organization by increasing security defense. It provides a good environment for defense.

The most valuable features of Splunk Enterprise Security are reporting capabilities. It is a good tool for checking systems and analyzing situations. I find it useful to check my systems and analyze situations.

The documentation and training resources available for knowledge and training can be expanded. We need to learn more about Splunk Enterprise Security and new security attacks.

I have been working with Splunk Enterprise Security during the last year.

I would rate Splunk Enterprise Security an eight out of ten for stability. In security, nothing is 100%.

I would rate the scalability of Splunk Enterprise Security an eight out of ten. I have not tried anything to scale up or scale out as it is a new setup, but I believe it will be easy for that.

I would rate the technical support of Splunk a seven out of ten. Sometimes there are delays. It is related to their giving a response after some time.

Neutral

I used QRadar. The switch from QRadar to Splunk Enterprise Security was a management decision. We moved to Splunk Enterprise Security because of its benefits. Splunk's support is better, and its reporting is easier and better. There are also pricing advantages.

It is a normal process. It isn't complex, but it is a new setup with new interfaces and a new way of thinking. It is always a challenge to use new software, and it takes some time to get familiar with it.

I can install Splunk Enterprise Security myself, though some things require dealing with external assistance.

We have not calculated ROI in our environment. I have not received any assignment or recommendation to calculate ROI.

The pricing of Splunk Enterprise Security is somewhat high, but comparing it with its benefits, it's acceptable. It depends on the type of business.

Overall, I would rate Splunk Enterprise Security an eight out of ten.

We use Splunk Enterprise Security for security monitoring.

Advanced correlation capabilities help to identify the patterns of malicious activities.

Machine learning capabilities in Splunk Enterprise Security have been effective for identifying and preventing incidents. Through machine learning, they correlate all the data and create notable events, which helps us identify malicious or suspicious traffic.

We have used the risk-based alerting a little bit. So far, it's been just fine. We haven't gone deep into it. Our other operations team hasn't utilized it to its full capacity, but it makes a pretty good filter overall.

The impact of automated responses provided by Splunk Enterprise Security has been very good on the efficiency of routine security operations.

The incident review in Splunk Enterprise Security seems to be the most helpful feature. 

It would be nice to have more advanced UEBA in Splunk Enterprise Security. Additionally, it would be beneficial if they offered more threat intel feeds for free. 

Furthermore, incorporating Attack Analyzer into the main product instead of having it as a separate paid purchase would be an improvement.

I have been using the solution for about three years.

I've had an issue only once with one of their products, but overall, it's been pretty good.

Its scalability is pretty good.

For Splunk Enterprise Security, it's been pretty good. For the regular Splunk Enterprise Platform, overall, it's like a C-minus. One thing that I probably dislike the most about the Splunk product is their support.

Neutral

I previously used LogRhythm. Splunk Enterprise Security is more advanced compared to other solutions, which makes it stand out as a better option.

I deployed Splunk Enterprise Security using professional services, and overall, it was good. My main responsibility was handling the coordination. The full implementation took about four months.

Approximately 90% of maintenance is done by Splunk.

The implementation was handled by myself.

We purchased Splunk Enterprise Security through a reseller called AccessIT.

Splunk Enterprise Security is a bit expensive overall, but it provides good value.

I would rate this solution an eight out of ten overall.

I work in a SOC team where I study threat hunting and threat determination. Most of my work is based on looking for malware traffic or suspicious traffic in Splunk Enterprise Security. I belong to the SOC team.

The best feature about Splunk Enterprise Security is its clean interface and the detail it provides. It helps us manage logs with a very clean interface, which is not available in other software. 

They also provide extensive learning resources on their official site that help us while performing tasks. Its documentation and community are very strong, making it a perfect SOC tool. If we come across any problem, we can search the community or consult the documentation for solutions. 

It is very clean and detailed, helping us detect threats easily. Splunk Enterprise Security performs 80% of our work on its own; we just have to do the remaining 20%, which gives us the freedom to explore and detect threats more effectively.

The machine learning capabilities of Splunk Enterprise Security are good, but they can be improved. In a changing threat landscape, its machine learning capability can be improved in behavior-based analysis because signature-based analysis does not work very well currently.

It can improve in detecting new types of attacks or IOCs through behavior-based learning capabilities. For example, if there are malware traffics incoming, it should detect them using network logs more precisely, as most malware traffic uses the same kind of port or attack.

There should be a community program or hackathon-type events where people can develop more advanced and sophisticated machine learning models for Splunk Enterprise Security to enhance its functionality. 

Adding a chatbot similar to GitHub Copilot in Splunk Enterprise Security would be beneficial. It would help write different kinds of sophisticated queries and assist in solving problems we encounter, similar to what we have in VS Code.

There is good scope for developing Splunk Enterprise Security for low-level systems such as Raspberry Pi. However, for server deployment, a robust server is essential. Development should focus on making Splunk Enterprise Security capable of running on devices such as Raspberry Pi.

I used Splunk Enterprise for a long time in previous organizations. I have also used the Community version for my personal projects, which is available for free. I have experience with both Splunk Enterprise Security and the normal Splunk Community version. I still use Splunk Enterprise Security quite frequently when working with SOC and related processes.

Splunk Enterprise Security is highly scalable, which is why approximately 95% of the industry uses it without experiencing scalability problems. It performs exceptionally well when discussing scalability.

I do not remember contacting technical or customer support. Whenever I faced any problem, I usually consulted the documentation or community, and 99% of my problems were solved that way.

I have used Wazuh, Elasticsearch, Kibana, and some basic Linux SOC management tools such as Zeek and Wireshark as alternatives to Splunk Enterprise Security. However, I find Splunk Enterprise Security to be much more advanced than those tools, as they lack automation and machine learning capabilities, requiring customization from the user. Splunk Enterprise Security is more refined and offers a better experience.

Its deployment is difficult. I remember when I first started learning, I faced several challenges, especially when deploying VMware in a virtual environment. It was quite a difficult task. However, when deploying on a server, I would consider it to be at a medium level of difficulty. On the other hand, if you're deploying for a learning lab or something similar, it’s pretty much on the hard side.

For personal home labs, it is a one-person job, meaning a seasoned professional can handle it. For enterprise-level deployment, a person managing operations and a person handling server management is sufficient. After the initial deployment, one person is enough for a mid to low-level company, while a higher-order company requires a team to operate Splunk Enterprise Security.

Splunk Enterprise Security requires very little maintenance on my end, as it has improved significantly. If there are no frequent changes in the server, there is not much maintenance required. I have not invested much time in updates or maintenance, so once deployed, you just need a good professional to use it; maintenance is not much of a concern.

The pricing of Splunk Enterprise Security is fair for what it provides. If someone wants everything for free, it is not a reasonable expectation. Everything comes at a price, and I find it to be affordable, which is why every industry uses it. Its pricing is fair, and the community version works well for learning purposes.

I would rate Splunk Enterprise Security an eight out of ten.