What is our primary use case?
Since we have an IT services company, we have been using Splunk for the deployment to the customer locations as well. Sometimes the customer will come back to us and say that we need to have a SIEM tool, and when we do the benchmarking, we'll do a couple of deployments on the Splunk side and at the customer's locations as well.
As an example use case, we deployed Splunk to a banking institution a few years ago. There the use case was basically this: the customer wanted to set up a security operation center, and they wanted to have a pretty large deployment in terms of the number of endpoints and number of switches and routers. There were many regional branch offices and they have data centers and therefore, many assets in terms of endpoints. They had 30% of their assets are running on the cloud and they needed a complete solution from an incident monitoring and management perspective. That's why we deployed Splunk.
They wanted to reduce the MTTR, and meantime resolution, and maintain detection. They didn't want to add more SOC analysts into their SOC as the organization scaled up. They have a plan to scale from 5,000 endpoints into 15-20,000 endpoints. They're very particular about deploying the SOC operation center.
Splunk has since acquired Phantom as a SOAR platform. Therefore, we have tried to manage the security automation using Phantom with the help of Splunk deployments. It helps us meet the customer's requirements.
How has it helped my organization?
In terms of support, we're able to get the right support at the right time. If there's a break or an appliance issue, they're are on top of it.
This is very important during large-scale deployments. It's not easy to address product-related issues or appliance-related issues, and the number of collectors or number of logs that come into the collector, and managing the collectors across the branch offices, across the corporate offices, etc. It is a cumbersome process for us. That's why it's integral that we get the right support at the right time - and they make this happen.
What is most valuable?
The most valuable aspect of the solution is the dashboard. It's very intuitive.
The reporting is excellent. The team and the SOC analyst are able to easily track the alerts and the correlation is very good compared to other SIEM tools.
What needs improvement?
There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side.
The automation could be better. Typically, the issue that we face is that it has to go to the analytics engine, then goes to the automation engine, basically. Therefore, if there are no proper analytics, the SOAR module is going to be overloaded, and we are not able to get the expected result out from the SOAR module. If they improve the analytics, I think they'll be able to solve these issues very quickly.
The playbooks which they create and provide to premium users can improve a lot. They have to create a common platform wherein the end-customers like us can choose the playbooks, and automation playbooks readily available.
In terms of integration with the third-party tools, what we are seeing is that it's very limited compared to the competitive products. Competitive products have a lot of connectors and APIs that they have developed, and that's where the cloud integration, whether it is a public cloud or a private cloud integration comes in. There are a lot of limitations to this product compared to other products.
For how long have I used the solution?
In terms of Splunk, I've been working on it for more than three years in the current company. Prior to that, I worked with it at another company as well. In total, I have been using Splunk for close to six or seven years.
What do I think about the stability of the solution?
The solution is stable, however, sometimes in some of the collectors, we are facing a lot of issues. That said, overall, if you rate it from one to five, I would say in terms of stability, it will stand at a three.
What do I think about the scalability of the solution?
The scalability is perfectly fine. It's very awesome compared to all the other tools, as easily we can integrate with the log forwarding modules and the collector management appliances or modules. That aspect won't be a problem.
If you look at the SIEM as a market today, Splunk is expensive compared to other competitive products. I'm also into the SIEM evaluation in my current role. I've seen that there are many tools are coming up in the last one and half years. I have also seen many other mature tools that are available now. If you compare next-gen SIEM tools compared to the Splunk, it's expensive. Therefore, it's possible we may not use this in the future or expand on current usage.
How are customer service and technical support?
In terms of technical support, we don't have any issues, as the professional services which they have extended to us are very, very good. We're able to manage many of the critical issues with their support. I'd say we are definitely satisfied with the level of service provided.
How was the initial setup?
In terms of deployment, it's not so complex compared to the competitive products, however, we will be able to manage that deployment. We don't feel there's any problem on the deployment side. In that sense, I don't think deployment is a complex one when somebody going for Splunk as a tool.
How long it takes to deploy the solution depends on the size of the deployment, basically. Even a large deployment won't take more than a week. When I say deployment, I'm considering all the log collection, log management, and the curation of the incidents, and how incidents are created and routed properly according to prioritization.
What was our ROI?
In terms of ROI, for example, if you look at one of our customers today, they are managing close to 100 million events per day. If you look at a traditional SIEM with 100 million events, they need to manage this environment with at least 25 to 30 people. That's 30 security analysts that have to be there. However, when Splunk was deployed, a lot of automation was added on top of it, and today we are managing the same environment with Splunk with close to 15 people. In that sense, if you look at it that way, the ROI is between 30-40%.
What's my experience with pricing, setup cost, and licensing?
In terms of a comparison with the rest of the competition, the licensing cost would be, I would say, 30% higher than most.
Which other solutions did I evaluate?
Before choosing Splunk, we have evaluated QRadar and LogRhythm. QRadar is much more expensive. LogRhythm lacked reporting.
We ended up choosing Splunk due to the pricing and the reporting features. It also had the kind of scalability that was required. We felt it would help us in terms of positioning from both a cost perspective and an incident alert perspective.
What other advice do I have?
We're partners. We have a business relationship with Splunk.
We're using the latest version of the solution.
Overall, I would rate the solution at a seven out of ten.
I'd advise potential new users to ensure they do proper sizing before deploying the product. If it's a very large deployment, the number of endpoints will be quite sizeable. You need to figure out the correct number of endpoints as well as endpoint devices, switches, routers, etc.
It's also a good idea to look at use cases. Splunk is very strong in some use cases. It's important to look into deployment scenarios and check out the use cases before deploying anything.
My biggest takeaway after working with the solution is that the environment is very important. You need to be clear about the problem you are addressing and it takes a lot of planning at the outset.
Which deployment model are you using for this solution?