Splunk Enterprise Security Reviews

Operational intelligence monitoring for several different systems. We collect logs from applications and performance data from hardware, as well as information pulled from databases.

The ability to quickly search logs, performance data, and other inputs has helped tremendously with troubleshooting. The visualizations are easy and well received by business and management users. 

It is ease to integrate with other solutions, like Slack, JIRA, Remedy, etc. 

The user community is extremely beneficial, particularly with Splunk Answers and the Slack User Groups.

The licensing model can be expensive, but the value it provides is significant.

The recent acquisition of Phantom makes the future seem bright with more automated responses.

We primary use Splunk for log aggregation and search across multiple systems with Splunk Enterprise Security layered on top. 

Splunk has significantly reduced the time in performing the task of aggregating logs, reviewing as well as time spent during investigations. This has not only
increased our speed of response, but our efficiency dealing with the issue(s)
raised.

Aggregation searches, allowing for conditions to be automatically found in the data, have reduced time and difficulty of identifying trends and conditions which need to reviewed.

The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement.

• We can do things in minutes instead of days.
• We solve issues which we could not before since we have the data.
• We can quickly search for almost anything across many log sources in seconds
• Teams have the dashboards or alerts that they need

There are too many features to list, but here are a few:

• Schema on the fly

• Ease of on-boarding data

• Machine learning

• Apps or Splunk base.
• Great list of apps to use and also build upon once you learn more about how Splunk works.
• We build many of our own apps by leveraging the logic in the others.

• Ease of correlation, creating correlation searches are easy and you can combine multiple sources with little effort

• Data Models Acceleration for super fast searches across tens of millions of events

• Common Information Model

• Security Essentials App

• Enterprise Security

• Splunk SPL (Search Processing Language) is easy to learn and has IDE like capabilities

• Log storage or compression is great and retention is not an issue

• Dashboards are simple to create and the input options like Time Range, Text
• Drop-downs are simple to create.

• Integration with cloud solutions is great and keeps getting better.
• Can get info from rest API’s easily and there are apps for services like ServiceNow, Azure, Office365, etc.

The GUI can be improved to include some of the capabilities that other BI solutions have. Basically, the layout is a little restrictive where you can’t resize all the panels to exactly how you would like them without tweaking some XML code. Over the years, they have really been improving in this area. I would think that will continue and this could become a non-issue.

There were no issues with stability.

There were no issues with scalability.

Technical support is excellent. They also have Splunk Answers, which is community driven and it great.

We were not able to get the value we needed from the previous solution. It was too difficult or complex. With Splunk, we can do things we want and things we have not even dreamed of yet.

The initial setup was straightforward. We had the POC up in minutes. Within days, we got more value out of this solution than our existing solution.

While licensing can be a concern, there are ways to reduce the licensing costs including filtering some events. We have replaced many solutions with Splunk, which have more than paid for the Splunk licensing.

We evaluated ArcSight, QRadar, and LogRhythm.

Do a PoC and you will be amazed. Also, check out the Splunk .conf sessions to see what is possible. If you are into security, watch Mark Russinovich’s RSA 2017 presentation about Sysmon. Check out free EDR type capabilities.

We use Splunk Enterprise Security for our enterprise security.

Adding more use cases to Splunk can improve our threat detection speed.

It has helped normalize our data.

Splunk Enterprise Security has helped reduce our alert volume and speed up our security investigations.

The graph visualization is the most valuable feature.

Splunk Enterprise Security needs to improve its stability.

The UI can be difficult to understand for non-technical people.

I have been using Splunk Enterprise Security for four months.

I would rate the stability of Splunk Enterprise Security a four out of ten. Some bugs cause downtime.

I would rate the scalability a six out of ten.

I would rate Splunk Enterprise Security an eight out of ten.

Splunk Enterprise Security's robust framework enables it to support a wider range of use cases, making it more adaptable and versatile for tackling diverse security challenges.

We have Splunk Enterprise Security deployed across multiple locations.

Splunk Enterprise Security's visualizations are detailed and help users normalize data, making it extremely useful.

The vast array of use cases enabled by Splunk Enterprise Security empowers security teams to address diverse threats and enhance overall security posture.

Splunk just acts as an extra presentation layer, and we tried it because of the plugins they have to try and get more logs into the environment.

Splunk would be my choice for the presentation layer because it comes with inbuilt reports and a dashboard that you can customize.

Aside from the 5GB limit on the community version, I believe it is the same as ELK. It's a useful tool, and nothing comes to mind right now.

I haven't found a way for me to create my own plugins and integrate them into Splunk, but this isn't necessarily a limitation; it could simply be a lack of knowledge on my part.

Splunk is a stable solution. I am very happy with the stability of Splunk.

Splunk can be scaled to any environment. The way it's designed, it's cloud-ready, and it has a lot of performance, in-built indexing, and performance tuning options. Splunk is easily scalable.

I am happy to report that I've never needed to contact technical support. The README tutorials and the existing forums provide me with practically everything I need. So far, I haven't had to do so. This should be a testament to the solution.

We broaden the scope of IT governance and IT security.

We look at everything from SIEM to network management to endpoint protection, server protection, database protection, and anything else that can aid in visibility, policy enforcement, and monitoring.

Our organization is using a combination of Splunk and Elasticsearch. We get most of what we need from the ELK suite. ELK Stack is usually the primary focus.

ELK has the same inbuilt reports and dashboards that you can customize, but ELK is better for central logging and log aggregation. Once they've all been aggregated, you'll be able to run any kind of queries and APIs to query the logs on ELK and then use Splunk as a presentation layer for the consumers to use.

Security tools, in my opinion, are business tools and should be used by businesses rather than security engineers. I'm experimenting with a hybrid of the two, in which ELK serves as the engine for central logging and Splunk handles the presentation layer and aggregation of additional third-party logs from tools that might be difficult to integrate into ELK.

I would rate Elasticsearch a ten out of ten.

It's a cloud-ready package. It has the same characteristics as ELK. From a deployment standpoint, I don't have any issues with it. The material is freely accessible to anyone who wishes to use it. There is a virtual machine option. You can get a virtual machine by downloading it. The deployment options are simply numerous, and it is up to the implementer.

It wasn't that difficult for me. There are no complaints from me. The material is present, and there are numerous options for deployment. It's relatively simple to go from zero to viewing data with Splunk. ELK is the same way. It is now up to the implementers and their environment to provide you with more data about it.

They could improve their discounts. I think it's a good solution, and it's gaining a lot of traction, maybe they are recouping their R&D costs, Further reductions would be fantastic, and I believe that more and more people would flock to it.

We provide IT consulting services. Our customers occasionally ask us to assist them in locating specific solutions.

I would recommend this solution to others who are interested in using this solution.

I would say the forums and READMEs provide more than enough information about Splunk. Most people struggle because they move too quickly through the implementation process. As long as you follow the guidelines, particularly the specifications for environment requirements and implementation methodology, these solutions should work out of the box.

Splunk is a very good solution, I would rate it a ten out of ten.

We typically use Splunk to collect and check all the logs and events around the diverse network environment which includes, firewall, switches, and routers. For example, we have traffic that needs to go from one part of the network to another and if we think there is a firewall blocking it along the path, rather than log in to all the firewalls to see what is happening, we simply go into Splunk and the check traffic going across the parts of the network to see where it is being dropped and what is the likely reason it has been dropped.

Splunk has saved our organization time by resolving problems in a quicker timeframe. Before if we had networking issues we would have to log into every single device, check the firewall to see why the traffic is not going across to solve the problem. With Splunk, you only have a single pane of glass to check what is likely happening. This has enabled us to easily go to the right environment and write the necessary security policy to permit such traffic. It brings about faster resolution of problems reduced with visibility.

The most valuable features in Splunk are the search function and the ability to run selected session reports. The session reports are important because I can use them to see what is going on in our environment weekly. Additionally, we can use the graph to see how often that particular event is happening.

Over time I will have more requirements and I can foresee the solution could improve the search algorithm to run and output the data faster.

I have been using Splunk for approximately six months.

We have been satisfied with the stability of the solution.

Slunk scale very well.

We have approximately 50 people in our infrastructure and applications teams using this solution in my organization.

We plan to increase usage in the future.

I have not needed to open a ticket up with technical support. 

Previously to using Splunk we only had some Syslog servers that we sent logs to. However, Syslog servers, do not analyze your logs, they only capturing them. Whereas, in Splunk, you can assess the logs and you can do other things with the log.

I do not think the implementation is difficult.

We have an internal team that does the maintenance of the solution.

I have evaluated DataDog.

Splunk is easy to use and not having the need to log into every single network device for management is helpful.

I rate Splunk a seven out of ten.

Security. We have built SIEM solutions three times from the ground up (not ES) using Splunk for some of the largest companies in the world.

Out clients went from unhappy using inflexible, poorly-supported products (in some cases barely functionally) to confident and excited when using Splunk. Not only are they able to do their security jobs and investigations, but they are also easily able to modify and evolve their implementations themselves to keep up with the shifting sands, which is the SecOps landscape.

• Core Splunk
• Saved searches
• Dashboards (SimpleXML) 

With good domain knowledge, one can build almost anything. If you throw in Alert Manager or an integration with ServiceNow. Then, you have your own SIEM.

• It needs integration with a configuration management solution. 
• It could use better password management for forwarders. 
• It needs a better way to export dynamic views without requiring a ton of code and user/pw.

Almost 10 years.

Unfortunately, lately every release has a new memory leak.  Be SURE to upgrade late and READ THE RELEASE NOTES, especially the "Known Issues" section.

We only ever have issues when deployed on VMs and the VM admins do not do what we tell them to do which is EXCLUSIVELY RESERVE OUR RESOURCES.

It used to be great (but perhaps that was because my employer at the time was a key prospect in a vertical where Splunk had no customers) but Splunk support is definitely a victim of Splunk's explosive growth.  The first tier support is as bad as it is most places and getting worse all the time.  If you KNOW your problem is not run of the mill, ask for escalation immediately.  Also the clock on the case does not start until somebody adds a note to the case so always call in and ask if they got your diag file (always attach a diag) and the person who answers will have to add a note to the case which will start the clock.

I have dabbled with LogRythm and ArcSight and they are both OK, but Time-To-Value is WAY shorter with Splunk, IMHO.

Use bare metal severs on Linux and you will be fine.  Use Windows and you will have much trouble.  Use VMs and your admins will cheat you and you will have much trouble.  Do not use NAS!!!!

In-house.  We at Splunxter are Splunk experts.  We can do anything with Splunk.  We always hit homeruns.

We usually get multi X-factor within a quarter.

Get free PS if you can (ask) or USE THE DOCS.  The documentation will get you to success.  If you are not getting more value out of Splunk than the license you are paying, then you are doing something wrong and should spend a tiny bit more to get a consultant like Splunxter.com to help you.

No,we went with the free trial and got so much value so quickly we bought in.

You can also get GREAT help at answers.splunk.com.

The primary use case of this solution is to monitor Cyber Mission databases.

I create the diagrams to create an architecture that is then implemented. However, creating these diagrams are for my own learnings since these implementations are usually already available in the cloud office logs.

The features I have found most valuable are the dashboards. 

I monitor the complete capacity that users are using in the company.

An area of improvement would be the licensing of the solution. They need a free license, which would allow faster lead times.

They also need to update their documentation.

The solution is stable.

The scalability of the solution is amazing because it can collect a lot of data and you can have your own structure to monitor this data.

The customer service/technical support was helpful and they answered my questions as best they could.

The setup was easy, but you have to have a VPN connection depending on the security protocols in place.

The deployment was in-house and took about two days with the correct licenses and permissions.

It is important to define different guidelines to integrate Splunk in development, QA, and production deployments. Additionally, define the applications that will be used and the configuration of the databases to collect the data. If this is not done, there will be a lot of issues due to, for example, master access or permissions to use the database collector and blocks.