Splunk User Behavior Analytics Review

Easy to configure and easy to use solution that integrates with many applications and scripts


What is our primary use case?

Our primary use is intrusion detection and analysis. It is a great product because it is intelligent and does everything for us.

How has it helped my organization?

It is a great product because it is intelligent and does everything for us. We have a LAN (Local Area Network) and sensitive, classified data and we have to be sure it is well-protected.

What is most valuable?

It's a component that is easy to configure and easy to use. They have familiar and friendly dashboards for the users. You can make a lot of the dashboards if you want to integrate with it. If you have the basic skills and basic codes you can just create more use cases. You can also have alert systems. You have a lot of different alerts that you can use. You can integrate with all the applications and scripts, like with Kaspersky. We integrate multiple publications with this product.

What needs improvement?

Actually, the most valuable aspect of Splunk is the data. You do not need to use your databases to perform all things from on all the servers we have. Splunk has three big things it can do with data: it can show it hot, warm and cold. The hot of it allows you to see the data as soon as things happen — maybe to the second. We have the warm, the warm will segment the data up to the hot up to three months ago. The cold will store all of the archives of all the data after the six months. After that, you can't make comparisons any further. 

In the future, we make Splunk in the SOC (Security Operations Center). In the SOC now, we use one feature, it's called the alert system. So in the future, we want to make it so we can send all the data and we can build its security and its management. It will be published in all the places as it is now. We need to do this so we can build more data centers from all the past and existing data crunch.

For how long have I used the solution?

We have been using the product for three years.

What do I think about the stability of the solution?

From the IP end and from ArchSight from HP, I think that Splunk works out very good for me. Not 100%, but 80%. IBM has a lot of features not familiar to the user and the support is very bad. ArcSight thas support, but they forget they have small issues. So, we use Splunk because it is the pinnacle of the organizations. We have specificity. We don't want any kind of application that can corrupt all our data. So we use the Splunk because we see more admirable organizations using it. So we share the knowledge with them.

What do I think about the scalability of the solution?

This solution is scalable depending on your need. The security department belongs to Splunk, so we have approximately 25 people using the system.

We have plans to increase usage soon.

How are customer service and technical support?

If you implement something with this product I think you need one-year technical support. But the first thing you need is your BUC (Business Use Case). The BUC allows you to know how much deploying the application costs and how many prerequisites you need to fulfill. After defining the BUC you will kick off the project, and after you have implemented, you have to purchase from the vendors one year of support. After that, they give you support until you are ready for the kick-off of the live project but have their support if something goes wrong.

If you previously used a different solution, which one did you use and why did you switch?

For SIEM (Security Information and Event Management), we used to use McAfee, and it was not good for us. And also we used ArcSight. But we also realized it could not do some things. After that, we networked and decided to use Splunk.

How was the initial setup?

It's good we are using the firewall and it's very good for Splunk. To implement the system depends in most cases your prerequisites. You have to know what you are building in the environment, how many servers you have, how many other devices, restrictions, and routing. It's a different environment depending on how many applications you have.

So the choices depend on what you need most of the time. We assigned a project manager for technical support for planning. I think it cost us six months to have it running. But it could be very different in other situations.

What's my experience with pricing, setup cost, and licensing?

There are a few things about the price. There are several packages but if you want to use it as an enterprise, you have to pay enterprise price. That is the initial price is for the basic enterprise application, but you get charges for volume use, not per user. Initially, we bought 100GB and now we bought 200GB.

Other applications you want to install for additional, integrated functionality costs more. For example, for Splunk they have two modules you need to use it optimally, I think. One is for applications. It's called Splunk Enterprise Security. After that, you will want to purchase another application called Defense. So it's more than one model for pricing. The more you use, the more you pay. It comes with unlimited users and volume discounts.

Which other solutions did I evaluate?

We worked with McAfee and ArcSight, but Splunk turned out to be better.

What other advice do I have?

From my experience and from the security perspective, I recommend this product for all the people that need good security for investigation. The Splunk team and products are good for those purposes.

The storage gets better priced with the amount you use. The storage is very expensive if you take some of the license options from the company. We won't be using unlimited storage for how much data will be imported from our bandwidth. I think the unlimited license is good because we will use a lot.

On a scale from one to ten when one is the worst and ten is the best, I would rate Splunk User Behavior as a nine. I didn't give them ten because Splunk does not provide something for the professional investigation. There is something that prevents you from using data the way you want to use data for in an investigation. Sometimes with Splunk, we cannot bring the data out in a better form and some users cannot understand it exactly. What I am talking about is options for a more professional investigation, not for normal behaviors. If you want to just look at normal behavior the program will give all you need. But sometimes you need other use cases to see the action.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email