CSO at a manufacturing company with 1,001-5,000 employees
Real User
Top 5
Has enhanced our organization by offering increased visibility and provides quick search results
Pros and Cons
  • "The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk."
  • "Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment."

What is our primary use case?

We use Splunk Enterprise Security as the main SIEM system for our operation center. We use it for monitoring detection, and alert management.

We implemented Splunk Enterprise Security to help detect attacks on our network.

How has it helped my organization?

Splunk Enterprise Security is highly flexible, allowing us to create whatever we desire. This exemplifies its inherent power. The visibility it offers is notably robust. We can craft it to our needs and even utilize various frameworks within Splunk, prepackaged for security purposes. We possess distinct applications hosting diverse dashboards, catering to numerous security products, including those from different vendors.

The effectiveness of Splunk Enterprise Security insider threat detection capabilities, aimed at identifying unfamiliar threats, relies on whether we establish alerts based on the rules we formulate. If we construct rules incorporating user behavior criteria, the system functions optimally. It appears that there is an Extended User and Entity Behavior Analytics add-on available, which requires a separate license in addition to the enterprise security license. This add-on utilizes machine learning and encompasses multiple developed use cases. While it has limitations, it effectively serves the specific use cases it is designed for.

The threat intelligence framework within Splunk is also highly potent. We can ingest, link, and integrate external data feeds. Concerning IOCs, there are numerous pre-configured alerts within the system that rely on a feed of undesirable IPs. If one of these IPs triggers any of the alerts, such as those generated by our firewall's traffic logs, and the IP matches the bad IPs in the threat intelligence feed, the system correlates this information. If the flagged IP is detected within our network or appears in our firewall logs, an automatic alert is generated. We simply need to ingest the external feed. Subsequently, if the system identifies the IP anywhere, we will receive corresponding alerts.

I appreciate the new MITRE ATT&CK feature. I believe it's a valuable addition and reasonably priced. It seems the feature has been largely developed through marketing efforts, utilizing the capabilities of Splunk to display the MITRE ATT&CK map and the associated rules. This is important since MITRE ATT&CK encompasses over a hundred techniques. It presents the information to us based on the MITRE ATT&CK framework to illustrate ongoing activities. However, achieving a comprehensive understanding of each technique within the MITRE ATT&CK framework requires significant effort and adjustments.

Splunk Enterprise Security has enhanced our organization by offering increased visibility. If any adverse incidents occur, we are promptly informed. Even without configuring the custom rules, Splunk provides effective out-of-the-box rules that help prevent attacks. Consequently, it effectively halts these attacks. In fact, we have been able to detect and thwart potential attacks in their initial stages. This exemplifies the benefits it provides us.

Splunk Enterprise Security has helped to speed up our security investigations. We are now able to complete our investigations within three or four days. 

What is most valuable?

The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk. This makes it a highly potent and versatile solution tailored to both user and company needs.

What needs improvement?

Splunk could enhance its services by providing more comprehensive professional assistance aimed at optimizing our investment. This aspect seems lacking as our expenses increase with higher data connectivity, seemingly without much consideration, as this translates to increased revenue for them. The challenge lies in the fact that we don't always require all the amassed data. Oftentimes, clients are uncertain about their actual data needs. Therefore, if Splunk integrated a service dedicated to system optimization and pricing, focusing on essential monitoring data while eliminating less crucial elements, it could potentially lead to cost savings for the customers. This strategic move would demonstrate their commitment to customers beyond just financial gain. It would highlight their genuine intention to provide support, streamline operations, and maximize the potential of this technology for individuals and their respective companies.

Splunk provides automation for large-scale environments where numerous servers are present. Consequently, efficient management of these servers becomes imperative. Currently, our management server operates using a top-down approach. This involves establishing connections from the main management server to every individual leaf and subsequently, to each lower-level server.

However, this architecture lacks inherent security measures. In the current setup, Splunk employs multiple collectors to gather data. Subsequently, this data is relayed upward, filtered, and then once again transmitted to the main management server. Notably, data traffic consistently flows from external sources toward the central management hub. This design enhances security, as even if a hacker were to compromise or gain control of the management server, their influence would be limited. The data originates externally and travels inwards, preventing unauthorized access to the entire system. 

In contrast, the proposed approach for managing extensive infrastructures situates the management hub at the core. This central position allows us to establish connections from the hub to the various peripheral components, even if they are located on a secure network. However, this configuration carries significant risks. A security breach at the central hub could potentially grant an attacker elevated permissions. This would enable them to compromise the entire network by gaining access to all Splunk nodes within the company. This architecture is vulnerable and has room for improvement.

Buyer's Guide
Splunk Enterprise Security
March 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Splunk Enterprise Security for four years.

What do I think about the stability of the solution?

I would rate Splunk Enterprise Security's stability a seven out of ten. This is because the system lacks built-in protection against certain issues. It alerts us when there are problems in the system, which we then need to address. However, these issues are not always easily fixable, setting it apart from other systems. For instance, sometimes the system slows down while we're working. This can occur when a new alert is implemented, leading to high resource usage and system instability. We are then required to identify and rectify the specific cause of this problem. This might involve disabling or adjusting the alert to ensure it doesn't negatively impact the system's performance.

What do I think about the scalability of the solution?

Splunk Enterprise Security's ability to scale is good. I rate the scalability an eight out of ten.

How are customer service and support?

The technical support is good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Previously, I used QRadar, McAfee, and ArcSight. However, Splunk Enterprise Security is a more modern solution. While ArcSight from HP is powerful, it is an older system with limited flexibility and complex architecture. Many companies implemented SIEM systems before Splunk became available. It seems that most large companies might still be using ArcSight, but other competitors have entered the market since then.

McAfee attempted to develop a similar system, but it lacked scalability and was better suited for small businesses rather than larger enterprises. QRadar, on the other hand, remains robust, but it lacks Splunk's flexibility. One of Splunk's notable advantages is its ability to generate alerts and then allow users to enter searches and queries to investigate network activities and log data. This process, known as threat hunting, enables users to conduct specific searches, such as identifying individuals who accessed a particular system and the internet between four and five o'clock on a Friday. Splunk promptly provides the desired results, typically within a few minutes, making it a strong choice for this purpose. Additionally, Splunk Enterprise Security features a highly effective filtering mechanism.

How was the initial setup?

I participated in the planning and implementation of Splunk Enterprise Security, as well as the creation of all rulesets and alerts. I am also configuring it to align with our technical framework.

Individuals who market Splunk Enterprise Security often claim that it can be deployed within half a day, which is quite amusing. While it is conceivable to perform the installation in that timeframe, the real complexity arises when we must establish connections with numerous systems. This involves accessing each system external to our main setup, configuring it, and directing the system to send its logs to Splunk. On the Splunk side, we encounter the need to create parsing mechanisms that allow proper data reading. This entails installing applications capable of correctly parsing the data, and addressing issues where parsing is inadequate. We then proceed to work with the data. Although Splunk provides some pre-configured rules, we also need to develop our own rules to identify specific events and potential attacks. The process of rule creation demands a substantial investment in writing rule sets. Additionally, integrating a threat intelligence framework becomes essential. We aspire to leverage the micro-framework we have established. Splunk Enterprise Security undeniably possesses considerable capabilities. Nevertheless, it necessitates continuous effort to unlock its full potential and achieve ongoing enhancements.

The solution's complete implementation may require up to one year. Throughout most of the deployment, we had a team of two members, occasionally expanding to three.

What about the implementation team?

For the implementation, we used two integrators and Splunk Professional Services.

What was our ROI?

Considering the fact that Splunk Enterprise Security aids in thwarting attackers from gaining access to our environment, I would correlate this with a return on investment.

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security's pricing is high. Larger companies may afford it, but I believe that in the current market situation, where everyone is facing challenges, financial resources are tight. Even stock market tech companies are embracing cost-saving measures. Expenses are now more constrained compared to a few years ago when companies had greater spending capacity. Companies are reluctant to make hefty payments. While Splunk is cheaper than Microsoft Sentinel, QRadar is priced at half the cost of Splunk.

Splunk Enterprise Security's licensing is typically determined by the data throughput we handle. Additionally, they offer an alternative pricing model which involves payment based on CPU usage. This newer model was introduced as a response to Elastic Security. However, Splunk enforces licensing in either scenario. 

What other advice do I have?

I rate Splunk Enterprise Security a nine out of ten.

We do not monitor the cloud environments with Splunk. While we have several cloud environments, we avoid using Splunk for this purpose due to its high cost. To utilize Splunk, it would be necessary to place the Splunk engine in the cloud and gather all the logs from various cloud sources, resulting in substantial expenses due to the large volume of logs. As a result, our primary usage of Splunk is on-premise. Instead, we employ different systems to monitor the cloud, generating alerts through various security mechanisms. These alerts are then processed in Splunk, reducing both data traffic and costs.

Splunk Enterprise Security's capabilities to analyze malicious activities and detect breaches are similar to those of other systems. Its effectiveness depends on the rules we develop within it. To truly maximize its value and tailor it to the organization's needs, a significant amount of additional work and utilization of professional services are required.

The reduction of the alert volume presents a challenge due to the X number of personnel in the security alert center. They can effectively handle only Y alerts per day without experiencing fatigue. When the volume surpasses this limit, they tend to merely open and close alerts without thorough investigation. It's as if they've become weary of the process. Therefore, we must determine the optimal number of alerts per day and adjust the rules accordingly. The primary objective is to achieve a statistically reasonable number of alerts per day. This number should be somewhat higher than the current rate, but not three times greater, as exceeding this threshold would render their efforts ineffective. Conversely, if the number of alerts is too high, the personnel's capacity to take action is undermined, resulting in a lack of meaningful outcomes. Striking a balanced middle ground is imperative. This approach enables us to effectively identify and address crucial matters while ensuring our personnel can thoroughly investigate each alert.

Depending on the goals an organization aims to achieve, if their sole focus is on finding the most economical solution and they do not prioritize comprehensiveness, then QRadar would suffice. However, if they seek instant access to answers, I would recommend Splunk Enterprise Security.

Splunk Enterprise Security is deployed across our entire network.

Maintenance is necessary for the system, and updates are needed periodically. Whenever we acquire a new system, we must connect it to Splunk.

Resilience constitutes a crucial component of Splunk Enterprise Security, contributing significantly to the safeguarding of our system.

I recommend Splunk Enterprise Security for organizations that have the budget, time, and skill to properly utilize the solution. I do recommend paying for Splunk Professional Services.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Maaz  Khalid - PeerSpot reviewer
Cyber Security Analyst at Rewterz
Real User
Top 20
Robust threat detection with extensive customization options and seamless integration with third-party security solutions
Pros and Cons
  • "One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities."
  • "Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets."

What is our primary use case?

We typically suggest Splunk IT builds for customers with significant EPS requirements and large-scale data environments. While other solutions like Foundry and IBM QRadar may be popular, they often have limitations in handling big data effectively.

How has it helped my organization?

It offers visibility across various environments, encompassing diverse infrastructures such as multiple firewalls. Some environments are entirely cloud-based, while others follow a hybrid model with services both on-premises and in the cloud. The infrastructure setup varies depending on the organization's specific model and needs.

We are highly satisfied with the level of visibility provided by Splunk.

It offers advanced threat detection capabilities to assist organizations in uncovering unknown threats and anomalous user behaviors. Splunk is utilized for integrating various devices including firewalls and other security controls, enabling coordination of logs and the creation of use cases. Analysts investigate alerts generated by these use cases, identifying and mitigating potential threats. Additionally, Splunk provides built-in and customizable use cases to enhance security measures.

We utilize the threat intelligence management feature in Splunk, which includes the provision of IOCs. Additionally, we have third-party intelligence services integrated into Splunk, which alert us whenever any related feature is triggered.

The effectiveness of the actionable intelligence offered by the threat intelligence management feature hinges on the third-party engines integrated or enabled within it. While false positives are common and require investigation, there are instances where identified IOCs are indeed malicious. In such cases, actions like reporting or following a predefined playbook can be taken.

We leverage the Splunk Mission Control feature, and I have hands-on experience with it. Typically, I manage it through Splunk, where I create rules, reports, and dashboards. Enabling third-party intelligence and other features involves a thorough review process, particularly when onboarding new clients. Once set up, we regularly review our baseline configuration and make adjustments as needed to ensure optimal performance. The Splunk Mission Control feature aids our organization in centralizing our threat intelligence and ticketing system data management. We integrate third-party intelligence services along with our company's proprietary advisories, particularly in the retail sector. This integration enables us to maintain a comprehensive reference set within Splunk.

We utilize the Threat Topology and Mitre ATT&CK Framework features to enhance our understanding of threats. These features offer micro-mapping visibility, allowing us to align identified needs with specific techniques.

The purpose of the Mitre ATT&CK Framework is to aid in discovering and understanding the full scope of an incident. Using the micro-hypotheses, we assess whether our subcontractors are adequately covered. We evaluate our rules to determine whether we have sufficient use cases for tactics and techniques, such as initial access. This process helps us identify any gaps in coverage within the Mitre ATT&CK Framework and address them accordingly.

Splunk is a valuable service for analyzing malicious activities and detecting breaches. However, I recommend ensuring comprehensive coverage of threats by integrating all relevant devices and maximizing visibility into logs. For instance, leveraging firewall logs enables the detection of anomalies at the network level, while logs from EDR solutions can identify malicious activities on endpoints.

Splunk has significantly improved our threat detection speed. Comparatively, when working with other teams, I've found Splunk to be more efficient due to its big data capabilities, allowing for faster analysis compared to IBM QRadar and similar tools.

The primary benefits our customers experience from utilizing Splunk in their organization are significant. While Splunk may be more costly compared to other machine solutions, its effectiveness shines in handling large volumes of data, making it ideal for organizations with extensive data needs. Unlike solutions like IBM QRadar, which may struggle with processing large amounts of data efficiently, Splunk's big data capabilities enable it to excel in such scenarios.

Splunk Enterprise has effectively decreased our alert volume across various use cases. Whenever we develop a new use case, we carefully analyze it, occasionally encountering false positives. In such instances, we collaborate with IT to whitelist these cases. Over time, as we accumulate a robust whitelist, the ratio of false positives diminishes, resulting in a higher rate of true positive alerts.

It has significantly accelerated our security investigations, proving to be immensely helpful. We can efficiently track and analyze user activities with most devices integrated into the Splunk environment. The visibility provided by Splunk allows us to coordinate activities seamlessly and thoroughly investigate any detected incidents. Whether it's identifying the origin of an activity or uncovering correlations between events, Splunk enables us to piece together the entire user activity chain swiftly and effectively.

Compared to other SIEM products, I've found that Splunk offers quicker alert resolution times. Its ability to efficiently handle large data volumes contributes to this advantage. Analysts typically have predefined playbooks and investigation checklists for when alerts are triggered, which Splunk supports well. Additionally, we've customized dashboards and reports to further streamline our detection process, ultimately reducing our response time.

For those seeking cost-effective solutions, Elastic Stack stands out as a popular choice due to its single-source administration and competitive pricing. Many industries, recognizing its affordability and robust services, are swiftly adopting Elastic and other similar solutions like Wazuh.

The value of resilience in a SIEM solution varies depending on the organization's preferences and requirements. Some organizations prioritize high availability and disaster recovery capabilities, which contribute to resilience.

What is most valuable?

As an analyst, I've observed that Splunk offers a variety of rule sets, along with built-in and customizable use cases. We have the flexibility to create dashboards and expand reports for management visibility. One key advantage of Splunk over competitors like IBM QRadar is its superior device integration capabilities. With Splunk, we can seamlessly integrate and coordinate data from various sources, enhancing our analytical capabilities.

What needs improvement?

I believe there is room for improvement in reducing costs, particularly in the financial aspect, as Splunk tends to be pricier compared to other options. Additionally, enhancing support services with more technical personnel is essential. Delays in responses from the technical team can pose challenges for both vendors and clients, especially considering that Splunk applications and machine solutions are critical assets. Splunk's pricing may pose a barrier for some users, but if it becomes more competitive, it could attract those currently using IBM QRadar or similar solutions. Additionally, considering the trend towards migration to Microsoft Sentinel, which offers a comprehensive suite including identity management and EDR coverage with Microsoft Defender, Splunk could benefit from offering similar modules. In Microsoft Sentinel, they offer a separate identity management module, which I find particularly valuable. Any anomalies detected within identity management trigger alerts, providing enhanced security.

For how long have I used the solution?

I have been working with it for two years.

What do I think about the stability of the solution?

It provides good stability capabilities.

What do I think about the scalability of the solution?

The scalability of Splunk, particularly when implemented as an enterprise solution, is notable. While we work with a limited number of clients, typically five to six, they are spread across various locations, including the US and Pakistan. From a maintenance perspective, our operations are based in Pakistan. Our clientele predominantly consists of customers from Gulf countries, and we also extend our services to clients in the US.

How are customer service and support?

There have been instances where the response time from Splunk's support team has been slower in comparison to others. I find IBM QRadar and similar solutions to have more efficient support teams. I would rate it five out of ten.

How would you rate customer service and support?

Neutral

What about the implementation team?

Our deployment team handles both deployment and support services, including maintenance responsibilities.

What was our ROI?

It offers a return on investment for our company.

What other advice do I have?

Overall, I would rate it eight out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
March 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
MANISH CHOUDHARY. - PeerSpot reviewer
SOC manager at a tech vendor with 10,001+ employees
Real User
Top 10
We can easily identify users and devices, but the plugins have room for improvement
Pros and Cons
  • "Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools."
  • "Splunk can improve its third-party device application plugins."

What is our primary use case?

We use Splunk Enterprise Security to analyze log data for log monitoring, creating use cases, onboarding, and incident response.

We wanted a single security tool that could immediately identify notable events that could be reported as security breaches, and then enable us to take intelligent action without having to purchase additional security tools.

We have two customers with hybrid cloud solutions. Neither customer is fully cloud-based. Our implementation is based on the customer's requirements, such as compliance, data ownership, and administration. We plan the implementation of Splunk cloud or hybrid models based on these requirements. We discuss the benefits and solutions with the customer to ensure that we are not breaching any compliance policies and that we are selecting the right model for their needs. Because we have multiple customers, we must also consider how to manage this process effectively.

How has it helped my organization?

We use multiple cloud environments for our clients, including AWS, Azure, GCP, and private cloud. We can easily integrate Splunk Enterprise Security and segregate the logs based on the type of index we create for each customer. When we create different indexes, we can segregate the types of logs based on the device type. This makes it easy to separate logs from different universal providers, different machines, and specific types of indexes dedicated to particular customers or groups.

We use threat topology and MITRE ATT&CK to create and integrate use cases for network framework detection and visualization in Splunk. Splunk helps us segregate and integrate use cases based on different threat detections and provides a complete dashboard view of how use cases match with detected threats.

When discussing MITRE ATT&CK and topology, we sometimes encounter use cases where we must ensure the logic is properly implemented to detect the threat and trigger the alert. This is because log access may involve specific teams and their associated MITRE ATT&CK tactics and techniques. We must be very specific about the information we are observing in order to derive the correct information and framework topology.

Splunk is one of the easiest solutions for analyzing malicious activities and detecting breaches. It is flexible enough to work with small teams, and it provides a broad view of the data, allowing us to segregate and fine-tune the analysis based on the customer's requirements.

Splunk Enterprise Security can help us detect threats faster when it is properly configured. We have implemented over 400 use cases for specific types of malware and other threat detection. In over 70 percent of environments, Splunk is able to detect threats faster than other solutions.

It has helped our organization improve by integrating with cloud providers. Splunk enables us to blacklist specific data types and ranges to reduce our losses, based on our requirements.

We have reduced our alert volume by around 50 percent with Splunk. When we first started creating and using Splunk use cases, we received around 700 alerts. Splunk can merge different sources of use cases into one to identify false positives, which has been very helpful for us.

Splunk has helped speed up our security investigations by almost 70 percent. We have a dedicated incident response team. They use the Splunk incident reports to help with their investigations. 

What is most valuable?

Splunk Enterprise Security comes with 300 pre-deployed use cases that can be easily customized to meet the specific needs of our organization, without the need to purchase additional tools.

We can easily identify the number of security devices and users that are authenticated on the network and present the information to the executive team.

What needs improvement?

Splunk can improve its third-party device application plugins.

For how long have I used the solution?

I have been using Splunk Enterprise Security for five years.

What do I think about the stability of the solution?

Splunk Enterprise Security is stable.

What do I think about the scalability of the solution?

Splunk Enterprise Security is scalable.

How are customer service and support?

The Splunk technical support is good but their call times differ.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I previously used IBM Security QRadar, Azure Sentinel, and McAfee Network Security Platform. Splunk Enterprise Security is designed for multiple platforms and is easier to implement.

Splunk is much faster when used correctly and has many tools. With the exception of Sentinel, the other solutions do not have many tools. With Sentinel, we have to define the indexes and all those things, such as the aggregation of logs. It is easy to do searches in Splunk, even in a large environment. I find Splunk to be more efficient than the other solutions I have used in the past.

How was the initial setup?

The initial deployment is straightforward. We install the solution and define the roles of each server and the data it will store. The deployment in our test environment took 13 hours.

What was our ROI?

We have seen a return on our investment in Splunk. The variety of options that Splunk provides is a great selling point for our customers.

What's my experience with pricing, setup cost, and licensing?

While Splunk is more expensive than other solutions, we would still choose it because of its capabilities. Splunk is a leader in the field and provides a wider range of data and security features than other SIEM solutions.

I would recommend Splunk over any of the less expensive SIEM products. I recommend the license-based solution over the user-based solution that Splunk offers. If I had to recommend any other SIEM other than Splunk, it would be Microsoft Sentinel.

What other advice do I have?

I would rate Splunk Enterprise Security seven out of ten.

The threat detection capabilities that we get by default are very basic. However, if we want to implement the most effective threat protection on the internet, we need to purchase a relevant solution for intelligent threat protection. This will provide us with more feeds for enterprise security and help us to integrate data by matching the data to the target and to the security with our Splunk.

We have 60 percent of our customers using Splunk Enterprise Security in their environments.

Splunk maintenance is required for updates. 

Splunk provides a centralized monitoring platform, eliminating the need to switch between different platforms to monitor security. Splunk provides a clear view of different security losses and incidents, and we can onboard any number of devices as needed. We can monitor our entire environment from one place, requiring only one team to monitor it. Splunk adds a lot of value currently.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Jeremiah Anderson - PeerSpot reviewer
Sr. Cybersecurity Engineer Splunk Architect at Coalfire Federal
Real User
Top 10
Reduces troubleshooting time, but the interface and usability need to be improved
Pros and Cons
  • "Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security."
  • "Its interface and usability can always be improved."

What is our primary use case?

Being in an air-gapped environment, we pretty much look for insider threats and other notables related to improper configurations and against security best practices.

We are 100% on-prem and in an air-gapped environment, so there is no Internet connection.

How has it helped my organization?

There have been some improvements, especially related to centering. We added user behavioral analytics, so it imports everything. Any threat generated inside of that goes into Enterprise Security. I wish anomalies would go in there, but I can understand why they don't, as it generates so many anomalies. However, it would be nice if I could select certain anomalies that would be helpful with notables. This way, I can track down security events before they become threats.

I believe Splunk Enterprise Security has reduced our mean time to resolve, but we do not have any definitive timing metrics.

Splunk has helped improve our organization’s business resilience because it is a central location where correlation searches populate. We can easily track down and figure out where issues lie, which minimizes the time of my SOC team. It probably saves them a couple of hours considering it is colocating everything in one location. It would be nice if there were better ways to search for the data. We can take a look at the raw logs, but we should be able to find the actual event that caused the problem and see all the logs associated with it in a standard log format as opposed to just a text file with all the events added in.

We are a small environment, so we do not get a lot of alerts. We work on the issues as we get them and I am sure it saves a couple of hours.

In terms of its ability to predict, identify, and solve problems in real-time, it works really well when you are connected to the Internet. The predictive analysis is more cloud-based. Trying to find ways to do it on-prem in an air-gapped environment with no Internet connection can be a pain. There are some ways to do risk-based analysis, but we are still hamstrung because we do not have the Internet connection and the larger data sets that they have.

What is most valuable?

Internal tracking is helpful because we do not like to deal with multiple ticketing systems, and I am not a fan of ServiceNow. We are able to keep everything internal and utilize Enterprise Security. Internal ticketing is helpful because we can bring in all the data and have it all available. That way, we can go back and take a look at it if we find another situation. We do not have to utilize other ticketing systems for cybersecurity.

What needs improvement?

Its interface and usability can always be improved. We are running on the last version, so I have not checked out how the newest one looks. Currently, we have to track down and remember where things are located. We have new guys on the team, and sometimes they have to click around and figure out where things are.

For how long have I used the solution?

We have been using Splunk Enterprise Security for about five years.

What do I think about the stability of the solution?

The solution is not going anywhere. As long as they continue to support and develop it, and not make it a cloud solution, we will continue to purchase it.

What do I think about the scalability of the solution?

We have a total of 500 devices, and we ingest around 150 gigs a day.

The scalability is pretty easy. They recently enabled it to be able to go into a search head cluster. Previously, the only way to install this was on its own dedicated search and it could not be connected to a cluster. Over the last four or five years, they have been pushing harder and harder for clustering everything up for shared resources. Enterprise Security is one of the few apps where you were not allowed to do that. Having scalability with the search head cluster is nice, and it is one thing I am looking at implementing in the future.

How are customer service and support?

Splunk's support is pretty good. I contacted Splunk's support a couple of times. In total, they are helpful, and we are able to get the support where we need it, but unfortunately, it is self-inflicted because we are air-gapped. It takes me anywhere between 45 minutes to an hour and a half to get the logs required. I need to get them sanitized, approved, and transferred over so that I can get them to Splunk. I would rate them a nine out of ten because a couple of times, I found the answer before they did.

They have the best documentation in all of the tech sector, and it is not behind a paywall where you cannot find information. There is certain information in Splunk Knowledge Base under the support page that I believe should be searchable through Google.

How would you rate customer service and support?

Positive

What was our ROI?

The return on investment is very good because, with ELA, we purchased the products at a reasonable price. We did not have to pay significantly more for licensing than we could possibly use. We were able to combine and get it at a much lower cost point.

In terms of the time to value, it took us a couple of months to get used to the interface and get people trained. Unfortunately, we had some turnover during that time, so we had to constantly retrain or train new people. The newer versions of Enterprise Security that came along made things a little bit easier. Luckily, we had some free training provided to us because we have an enterprise license agreement.

What's my experience with pricing, setup cost, and licensing?

Luckily, we come under a large federal agency, and before the pandemic, they signed a large enterprise license agreement. It worked out great and to our advantage because we are a small organization. We got a 300 gig license, and we just did not have the buying power to be able to get products cheaply. Because we all partnered together under the agency umbrella, we were able to get Splunk Enterprise Security, UBA, and ITSI for cheap. This was good considering the fact that some of these premium apps require a minimum number of users, and we do not have the number of people needed to even justify buying it.

What other advice do I have?

I would rate Splunk Enterprise Security a seven out of ten. There is definitely some room for improvement. I have not installed the newer version. Once I get into it, I will see what new capabilities there are, but there is a decent lift that is needed for the setup. Professional services help with that, but the customer generally does not like paying for that more than once.

Because of the ELA, I am able to come to Splunk conferences for free instead of having to pay my own dime. That helps tremendously, especially considering the fact that education is included. I believe that is because of the enterprise license agreement with the government contract. That helps out a lot. I have been coming to conferences since 2017. There are a lot of good people and a great community. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Security Analytics innovation lead at a pharma/biotech company with 10,001+ employees
Real User
Enables us to integrate the solution with other products to automate tasks, saving us time
Pros and Cons
  • "You can integrate Splunk with third-party security automation solutions and set rules for automatic response."
  • "Splunk ES could have more pre-built integrations and rules. The detection is fairly accurate, but it depends on the rules you create. Splunk's out-of-the-box configuration isn't that useful."

What is our primary use case?

We primarily use Splunk Enterprise Security for security incidents and event management. The solution is deployed in one department, but it covers multiple locations worldwide. 

How has it helped my organization?

With Splunk, we can monitor and manage enterprise-wide events. It provides a single console for various data sources covering the entire organization, which is critical for compliance purposes.

We can integrate Splunk Enterprise Security with other solutions to automate some security tasks, saving us some time. For example, if you detect potential malware and you want to isolate one system from the organization's network, you don't need to trigger a process. We can fully automate that. Minutes after malware is detected, the machine will be automatically quarantined from the rest of the network. 

What is most valuable?

You can integrate Splunk with third-party security automation solutions and set rules for automatic response. Splunk can monitor multiple cloud environments, but it's a little tricky if you're working with several vendors. Every cloud environment is slightly different, and some are better integrated.

The visibility into multi-cloud environments is decent. It depends on the number of sources you have, and Splunk is pretty flexible from that perspective. You can add any type of data source. The challenge is the engineering effort some of these data sources require, but others are effortless to manage.

We haven't used the insider threat capabilities yet, but it's an area that we want to explore. We have other tools for this. We use different products for threat intelligence. 

What needs improvement?

Splunk Enterprise Security could have more pre-built integrations and rules. The detection is fairly accurate, but it depends on the rules you create. Splunk's out-of-the-box configuration isn't that useful. 

If you spend time with your team creating rules specific to your environment, you can get a lot of value from Splunk. At the same time, that requires some additional effort and costs. Splunk has a few built-in integrations that are ready to go. In other cases, we need to build custom solutions, which is more difficult and costly.

For how long have I used the solution?

I have used Splunk Enterprise Security for about three years. 

What do I think about the stability of the solution?

It is stable overall. 

What do I think about the scalability of the solution?

Splunk Enterprise Security scales up pretty well. 

How are customer service and support?

I rate Splunk support seven out of 10. There is a little room for improvement. We always start with junior support engineers who lack the experience to deal with complex issues, which are the only problems we ever contact support about. Our staff members can handle most minor issues. 

We typically need to escalate, and we've had an excellent experience with the higher-level engineers. Those qualified engineers are scarce, so I can imagine a situation where two big Splunk customers have significant problems simultaneously, but there aren't enough available technicians. Splunk has the right people but maybe not enough of them. The process could also be improved. 

How would you rate customer service and support?

Neutral

How was the initial setup?

Deploying Splunk was relatively complex. After deployment, it requires some maintenance and management. A team of about 10-15 people is responsible for the solution. 

What about the implementation team?

We deployed Splunk with an in-house team of five to 10 people and some professional support from the vendor. 

What was our ROI?

We've seen an ROI by automating Splunk Enterprise Security, but automation requires another product and license. 

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security is quite expensive compared to some products on the market. 

Which other solutions did I evaluate?

The company evaluated a few tools before deciding on Splunk. I used ArcSight at a previous job. Splunk is more flexible than ArcSight, and it has various modules you can purchase to expand the functionality. You don't need to invest in a different solution because you can purchase add-ons for your existing infrastructure. 

It's modular, so you can tailor Splunk to your organization's size, structure, and specific needs. The customer can do it. You don't need to request it from a service provider. 

What other advice do I have?

I rate Splunk Enterprise Security eight out of 10. My advice would be that before deploying Splunk, research some of the company's materials and make sure it meets your cybersecurity requirements. 

You may need to purchase other tools, and the solution might not do everything you want it to do out-of-the-box. Depending on your environment, you'll probably need to invest some time and money into the solution to get the results you want. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Security Engineer at a recreational facilities/services company with 10,001+ employees
Real User
Very versatile for many use cases
Pros and Cons
  • "The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly."
  • "Their technical support sucks."

What is our primary use case?

We are using Splunk in the standard information security use case. We're also using it for various application use cases around identity management, windows active directory, and those types of use cases.

How has it helped my organization?

Splunk has provided a venue for us to determine student engagement during COVID, for which we didn't really have any other way except by looking at data that we captured off of our student systems and our authentication servers to see who's logging in, and who's logging out, and for how long they've been logged in.

What is most valuable?

The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly.

We have about a 500 gig license with Splunk, so it's not like petabytes of data, but even 500 gigs is kind of hard to sift through sometimes.

What needs improvement?

Splunk has been improving consistently over the last couple of revs. I still think there are some administrative features that they could improve on and make them less kludgy, but from a user perspective, it has gotten very clean and very sexy looking over the last few builds. So the users seem to like it.

By less kludgy, I mean that in the version I'm running, I still have to go into the command line and modify files and then go into the GUI and validate that they got modified. So it's not all in the GUI, but it has been moving slowly to the GUI over the last several versions. It would be nice if they could move all of the administrative features into a GUI platform so that when you're in the Splunk distributed environment management platform, you then don't have to go into the command line to add new applications or new packages that you then want to be able to push out to your forwarders. Their forwarder management is still kind of split that way.

I don't really have any feature requests in Splunk's space. They seem to be doing a good job of keeping it contemporary from that perspective. 

Splunk's mission is to move everyone to the cloud and charge us a bunch more money. Their goal is to cloud source everything, and quite honestly, the price of cloud sourcing the product, even at smaller 500 gigs a day (which isn't a lot of data by Splunk standards) in the cloud for that is ludicrous. The cost for me to buy equipment every three years and own licensing and run it local to my prem, is significantly less from a three or five year license. I'm going to spend X amount of money on hardware every X years, and I'm going to have to pay licensing costs on software of X over that same period versus that amount that I'd amortize over five years is what I would be paying every year in the cloud.

That is the point with the product. It seems like they are so focused on forcing everyone into the cloud that they seem to be not understanding that there are people that don't have those really deep pockets. It's one thing for a Fortune 50 company to spend a million dollars a year in the cloud. It's another thing when you're a nonprofit educational institute to spend that kind of money in the cloud. Even though we do get some discounts in most of the cloud space providers, it is still not on par with the big public businesses.

For how long have I used the solution?

I have been using Splunk for probably 10 years.

What do I think about the stability of the solution?

At least in our environment, it is super stable. When you think about how much time you spend working with other applications, just Windows Server requires more feeding than Splunk does, you see that Splunk is a very low maintenance care and feeding product.

We have probably 150 users in the environment and their roles vary from being application management folks to application engineering folks to the executive suite, so lots of different use cases. The executive suite tend to prefer more curated content and the application owners have a mix of curated content and dynamic search functions they can perform. Then the engineering tier basically gets some curated content and some free reign to do whatever they want for the most part. I'm the guy that supports this instance. So there's one person.

I support not only Splunk, but I am also the campus security engineer and I'm also the dude that runs or is responsible for all of our campus monitoring infrastructure. So that tells you how little maintenance is required.

We are adding new use cases on a fairly regular basis and we are adding more licensing to our indexing license. I don't see Splunk going away. There's nothing else that I think provides the ability to do this much data analytics from just the numbers of equipment that you need to run it. Also, the number of people that you need to actually make sure that it's functioning well. In higher ed., everybody always says we should do open source. And I respond that what I do in Splunk with 20 systems, I would need three racks of equipment to do on an open source platform. I have basically 70 - 75% of the racks now and I'd need three times that or more to run this as an open source product. And it wouldn't be as cute and it wouldn't be as beautiful or as flexible.

What do I think about the scalability of the solution?

I know other folks in the higher ed. space that are running petabyte size instances with Splunk. So I would have to say it scales very well just from talking to the folks in my market silo.

How are customer service and support?

Their technical support sucks.

My engagement with their technical support was for a product which they basically took over from an open source product and they just seemed to not be able to figure out why it's not doing what it's supposed to do. The number of times I've had to engage with Splunk for solutions has been for a couple of use cases. And in every one of those use cases, support was very painful. It took a very long time and it seemed like they were more interested in burning their queue volume than actually satisfying me as a customer.

I work in higher ed. Here in higher ed., it costs us a lot of money to run it. The support from the company that you spend a lot of money with is pretty poor. I get most of my support through the Splunk sales folks because they seem to know more and they're more incentivized to keep me as a customer. When I call in to open a ticket with Splunk support, they really don't know, and this is going to sound terrible, they don't really care whether I have a 50 Meg license or a 50 petabyte license. If it's not on their workflow, their pre-programmed triage, they can't do it.

Which solution did I use previously and why did I switch?

Splunk came into being at Case Western when we were looking for a better log product than Check Point was providing at that point in time. My entire investment in Splunk, in hardware and software and integration cost, was cheaper than what Check Point was going to provide, or what the Check Point solution path was for just looking at firewall data. We knew we needed to be able to do more analytics than what we were currently getting out of our firewall products and Splunk was brought in to do that. It can do this and a whole lot more.

How was the initial setup?

Splunk is a complex critter to put in and it's a more complex critter to keep running. We have 10 search heads and four indexers and universal and a heavy forwarding cluster. We have clustered indexers and clustered search heads. This is definitely not a drag and drop product.

We engaged a third party Splunk integrator to help us do our Splunk deployment and they did our initial deployment. We used a different integrator to do some of our upgrades, which we probably won't use again. Our implementation strategy was we really just wanted to look at the classic security use case when we put this in 10 years ago. Then after that came in, and everybody was happy with what it was doing, we added some other use cases and universal forwarding and so on and so forth.

What about the implementation team?

We used an integrator.

The integrator we used to do our initial deployment was excellent. The integrator we used to do our last round of upgrades was less than excellent.

When I hire an integrator to do an upgrade in an environment, I expect them to come back and say "all of your application layer apps are upgradeable, but your OS's need to be upgraded. Do you want me to do that? Or should you do that?" I now have different versions of OS's under Splunk running in my Linux world and it would've been nice to upgrade the system OS and then upgrade Splunk, even if it was more disruptive. I guess I have to read the statement of work more closely in the future.

What was our ROI?

The TCO and ROI are really great if you're in the private, non-public sector and you're in a more standard business sector. The return on investment in total cost of ownership on Splunk is from somebody who doesn't fit into that neat silo. Do we calculate that stuff? So our return on investment is by being able to solve problems that we never knew we could solve. My answer to it is the flexibility to be able to figure out student engagement when COVID hit. This was the only platform we could do it on.

What's my experience with pricing, setup cost, and licensing?

I can comment on price in this way - in education in Ohio, we're part of the Ohio supercomputer consortium, and they act as a collective bargaining agent. So we get our licensing as a piece of the State of Ohio's Splunk license. So my pricing is very much not list or even reduced list because of the volume that the state buys.

We generally spend about $20,000 a year in third party integrator costs to get us past some of the rough edges that we get with Splunk support.

Which other solutions did I evaluate?

We briefly looked at the open source product and we obviously looked at a Check Point product. When we looked at Splunk it seemed like they had a smaller cost to procure it, and a much smaller cost to maintain it than all of those other solutions. So it was kind of why we went with Splunk. This is very non-intuitive since everybody says they love Splunk but it costs too much.

What other advice do I have?

My advice to anyone considering Splunk is to understand exactly how much data you want to look at and you want to bring in on a daily basis. Then create a rational strategy to bring the data in, in reasonably sized chunks, that fulfill a use case at a time.

On a scale of one to ten, I would rate Splunk a really good nine.

I'd rate it a really good nine because it's really versatile. You can do a lot of things with it. It allows you to do a lot of analytics in the platform without needing a bunch of other third partyware to help you figure it out.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Balamurali Vellalath - PeerSpot reviewer
Practice Head-CyberSecurity at ALTEN calsoft Labs
MSP
Top 20
Good support with an intuitive dashboard but the cost is too high
Pros and Cons
  • "The most valuable aspect of the solution is the dashboard. It's very intuitive."
  • "There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side."

What is our primary use case?

Since we have an IT services company, we have been using Splunk for the deployment to the customer locations as well. Sometimes the customer will come back to us and say that we need to have a SIEM tool, and when we do the benchmarking, we'll do a couple of deployments on the Splunk side and at the customer's locations as well.

As an example use case, we deployed Splunk to a banking institution a few years ago. There the use case was basically this: the customer wanted to set up a security operation center, and they wanted to have a pretty large deployment in terms of the number of endpoints and number of switches and routers. There were many regional branch offices and they have data centers and therefore, many assets in terms of endpoints. They had 30% of their assets are running on the cloud and they needed a complete solution from an incident monitoring and management perspective. That's why we deployed Splunk. 

They wanted to reduce the MTTR, and meantime resolution, and maintain detection. They didn't want to add more SOC analysts into their SOC as the organization scaled up. They have a plan to scale from 5,000 endpoints into 15-20,000 endpoints. They're very particular about deploying the SOC operation center.

Splunk has since acquired Phantom as a SOAR platform. Therefore, we have tried to manage the security automation using Phantom with the help of Splunk deployments. It helps us meet the customer's requirements.

How has it helped my organization?

In terms of support, we're able to get the right support at the right time. If there's a break or an appliance issue, they're are on top of it.

This is very important during large-scale deployments. It's not easy to address product-related issues or appliance-related issues, and the number of collectors or number of logs that come into the collector, and managing the collectors across the branch offices, across the corporate offices, etc. It is a cumbersome process for us. That's why it's integral that we get the right support at the right time - and they make this happen.

What is most valuable?

The most valuable aspect of the solution is the dashboard. It's very intuitive. 

The reporting is excellent. The team and the SOC analyst are able to easily track the alerts and the correlation is very good compared to other SIEM tools. 

What needs improvement?

There are a lot of competitive products that are doing better than what Splunk is doing on the analytics side.

The automation could be better. Typically, the issue that we face is that it has to go to the analytics engine, then goes to the automation engine, basically. Therefore, if there are no proper analytics, the SOAR module is going to be overloaded, and we are not able to get the expected result out from the SOAR module. If they improve the analytics, I think they'll be able to solve these issues very quickly.

The playbooks which they create and provide to premium users can improve a lot. They have to create a common platform wherein the end-customers like us can choose the playbooks, and automation playbooks readily available.

In terms of integration with the third-party tools, what we are seeing is that it's very limited compared to the competitive products. Competitive products have a lot of connectors and APIs that they have developed, and that's where the cloud integration, whether it is a public cloud or a private cloud integration comes in. There are a lot of limitations to this product compared to other products.

For how long have I used the solution?

In terms of Splunk, I've been working on it for more than three years in the current company. Prior to that, I worked with it at another company as well. In total, I have been using Splunk for close to six or seven years.

What do I think about the stability of the solution?

The solution is stable, however, sometimes in some of the collectors, we are facing a lot of issues. That said, overall, if you rate it from one to five, I would say in terms of stability, it will stand at a three. 

What do I think about the scalability of the solution?

The scalability is perfectly fine. It's very awesome compared to all the other tools, as easily we can integrate with the log forwarding modules and the collector management appliances or modules. That aspect won't be a problem. 

If you look at the SIEM as a market today, Splunk is expensive compared to other competitive products. I'm also into the SIEM evaluation in my current role. I've seen that there are many tools are coming up in the last one and half years. I have also seen many other mature tools that are available now. If you compare next-gen SIEM tools compared to the Splunk, it's expensive. Therefore, it's possible we may not use this in the future or expand on current usage.

How are customer service and technical support?

In terms of technical support, we don't have any issues, as the professional services which they have extended to us are very, very good. We're able to manage many of the critical issues with their support. I'd say we are definitely satisfied with the level of service provided.

How was the initial setup?

In terms of deployment, it's not so complex compared to the competitive products, however, we will be able to manage that deployment. We don't feel there's any problem on the deployment side. In that sense, I don't think deployment is a complex one when somebody going for Splunk as a tool.

How long it takes to deploy the solution depends on the size of the deployment, basically. Even a large deployment won't take more than a week. When I say deployment, I'm considering all the log collection, log management, and the curation of the incidents, and how incidents are created and routed properly according to prioritization. 

What was our ROI?

In terms of ROI, for example, if you look at one of our customers today, they are managing close to 100 million events per day. If you look at a traditional SIEM with 100 million events, they need to manage this environment with at least 25 to 30 people. That's 30 security analysts that have to be there. However, when Splunk was deployed, a lot of automation was added on top of it, and today we are managing the same environment with Splunk with close to 15 people. In that sense, if you look at it that way, the ROI is between 30-40%.

What's my experience with pricing, setup cost, and licensing?

In terms of a comparison with the rest of the competition, the licensing cost would be, I would say, 30% higher than most.

Which other solutions did I evaluate?

Before choosing Splunk, we have evaluated QRadar and LogRhythm. QRadar is much more expensive. LogRhythm lacked reporting.

We ended up choosing Splunk due to the pricing and the reporting features. It also had the kind of scalability that was required. We felt it would help us in terms of positioning from both a cost perspective and an incident alert perspective.

What other advice do I have?

We're partners. We have a business relationship with Splunk.

We're using the latest version of the solution.

Overall, I would rate the solution at a seven out of ten.

I'd advise potential new users to ensure they do proper sizing before deploying the product. If it's a very large deployment, the number of endpoints will be quite sizeable. You need to figure out the correct number of endpoints as well as endpoint devices, switches, routers, etc.

It's also a good idea to look at use cases. Splunk is very strong in some use cases. It's important to look into deployment scenarios and check out the use cases before deploying anything.

My biggest takeaway after working with the solution is that the environment is very important. You need to be clear about the problem you are addressing and it takes a lot of planning at the outset.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
IT Director at Administrative Office U.S. Courts
Real User
Reasonably priced, helps with compliance, and saves a lot of time
Pros and Cons
  • "The most useful feature for me is the ability to create different kinds of alerts and set a different kind of denominator that will capture the real event. That is helpful for a power user like me."
  • "It will be helpful for customers if they can create some real-world cases, and we can find a case study to align with. I know that Splunk has tremendous potential. We only include a tiny piece of it. There is a lot of stuff that we need to learn. If Splunk can provide more real-time examples, that will be helpful for customers."

What is our primary use case?

We gather all the security logs from all the endpoints, network appliances, and the security filter. We have set up automatic alerts that are sent to system administrators, so we have pretty much real-time alerts about anything that happens. 

How has it helped my organization?

Splunk Enterprise Security has definitely improved my organization. First of all, it helps with compliance. Our organization has something called scorecard requirements. It is an annual self-check checklist. Having alerts set up is one of the requirements, and secondly, we have a local administrator who gets the alerts. That makes our job a lot easier. So, we pretty much know what is going on in a real-time setting.

We are the judicial branch of the government, so we are pretty much into our private cloud. We do have a setup to monitor our private cloud but not outside our organization. If we can monitor one cloud, multiple clouds will not be hard at all. It is easy.

Splunk has absolutely reduced our mean time to resolve. Knowing on time and having firsthand information is very helpful for any organization. We are able to capture what is going on, and the visibility of it is absolutely tremendous. I cannot provide the metrics, but it has saved a lot of time.

Splunk has absolutely improved our organization’s business resilience. We have been using Splunk for the last six or seven years, and I cannot imagine a life without Splunk. 

In terms of Splunk’s ability to predict, identify, and solve problems in real-time, this is something that we will look into. We have not yet looked into machine learning, AI, and all of Splunk. Currently, we are more in the reaction mode, but we are trying to get more in the protection mode or have more proactive measures. We have not got to that point yet, but we will definitely be there.

What is most valuable?

I am not into the administrator type of setup. I am more like an advanced user. The most useful feature for me is the ability to create different kinds of alerts and set a different kind of denominator that will capture the real event. That is helpful for a power user like me.

What needs improvement?

Splunk conferences are very helpful for networking and talking to folks who have a similar situation. It would be helpful for customers if they could create some real-world cases, and we can find a case study to align with. I know that Splunk has tremendous potential. We only include a tiny piece of it. There is a lot of stuff that we need to learn. If Splunk can provide more real-time examples, that will be helpful for customers.

For how long have I used the solution?

It has been six or seven years. 

What do I think about the scalability of the solution?

Splunk has a reputation for being scalable. You can start small, and if your demand increases, you can scale your platform. Splunk does a good job. It allows customers to have scalability so that they can expand their capacity. I would rate it a ten out of ten in terms of scalability.

How are customer service and support?

In our company, we have a Splunk consultant who is very good at providing a solution. So far, I have not had any problem that is unresolved. I would rate their support a ten out of ten. In this industry, there is good support, and there is bad support. Splunk's support is more like Cisco's support. It is pretty good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used something else, but I do not remember the name. Splunk is what we have been using for a long time. It is more advanced in terms of IT security. There is more scalability and the capability to do a lot of different things on multiple platforms. This is where it is more advanced than other products.

How was the initial setup?

I was not in the deployment team, but I was involved in the early stage of evaluating all different kinds of products.

What was our ROI?

There are a lot of things for which you can measure a return on investment, but security is something on which it is hard to put a dollar value and measure how much return you have got. However, in terms of helping the administrator or helping the company to put security in place, Splunk does a great job. I cannot imagine a life without Splunk.

What's my experience with pricing, setup cost, and licensing?

The pricing is a little bit on the higher side, but looking at what Splunk provides us, it is reasonable.

Which other solutions did I evaluate?

We evaluated what was on the market, and fortunately, we picked Splunk. Looking back, it was the right decision.

What other advice do I have?

Splunk is moving in the right direction and providing better and more mature products. This is my fifth conference, and I see the progress. I see Splunk bringing in all new products. They are pretty much in line with the security trends. They have improved a whole lot to meet customers' needs.

I would rate Splunk Enterprise Security a ten out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2024
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.