SoheylNorozi - PeerSpot reviewer
IT Consultant at a tech services company with 51-200 employees
Real User
Top 5
We can script advanced queries with limited knowledge, uncover unknown threats, and identify anonymous user behavior
Pros and Cons
  • "The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge."
  • "The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex."

What is our primary use case?

Our customers utilize Splunk Enterprise Security for either their cybersecurity program or their data warehouse program.

How has it helped my organization?

Splunk Enterprise Security's threat detection capabilities are effective in assisting organizations to uncover unknown threats and identify anonymous user behavior. However, this effectiveness is dependent on using the UBA modules and having the proper infrastructure in place.

MITRE ATT&CK is the framework that we use to detect and track well-known threats. When there are well-known threats, we can utilize the MITRE ATT&CK to identify any anomalies.

Splunk Enterprise Security has its own routine and process defined for analyzing malicious activities and detecting breaches. Mainly, we baseline the client's business process and day-to-day activity and then use it to detect malicious activity through various scenarios.

Splunk Enterprise Security assists us in detecting threats more quickly. We have an abundance of unrelated and meaningless data from the raw logs, and the solution aids us in organizing and correlating this data so that we can extract meaningful events and take appropriate action. This is the primary objective for the majority of our clients. 

In most cases, we provide monitoring and intelligence to our customers based on how they use the solution. This allows other technical teams, such as PC, system support, and other tech units, to take appropriate actions. Our main role is to provide them with alerts and use case scenarios, while the detection and actions are primarily related to other aspects.

When we initially implement Splunk Enterprise Security, there are many alerts and false positives. However, with time, we are able to align our configuration with the client's requirements and do more baselining, reducing such issues.

Splunk Enterprise Security helps to expedite security investigations. Without a security solution, our security team is unable to identify threats because the log and auditing data are unrelated and uncategorized. Consequently, we cannot access them promptly. Therefore, having a solution like Splunk Enterprise Security is crucial for our cybersecurity program. For certain clients' needs, we prefer using open-source applications like ELK and ESK. However, if they opt for an enterprise and commercial product, Splunk is among the top three choices.

What is most valuable?

The most valuable feature is the DSS, also known as SPL, because it allows users to script advanced queries with limited knowledge.

What needs improvement?

The CIM model is the method Splunk uses to normalize data and categorize its important parts, but it is quite complex. Simplifying this process would assist security officers in assessing threats and using the system more efficiently.

I would appreciate it if Splunk could add the feature of importing and exporting from web servers and third-party devices during project and process development. This addition would greatly enhance the value of the solution making the maintenance for the security officer easier. 

Buyer's Guide
Splunk Enterprise Security
March 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Splunk Enterprise Security for six years.

What do I think about the stability of the solution?

I rate the stability of Splunk Enterprise Security an eight out of ten.

What do I think about the scalability of the solution?

Splunk Enterprise Security can be easily scaled once it has been installed and deployed.

Cyber threat levels are increasing every day, especially during the pandemic when most employees needed remote access to their business services. As a result, many organizations experienced a surge in attacks and required a resilient SIEM and cybersecurity solution.

Which solution did I use previously and why did I switch?

I have used ELK, ESK, QRadar, Graylog, and LogRhythm in the past. One of Splunk's strengths over its competitors is its dedicated DSS called SPL.

The drawback of Splunk Enterprise Security is that upon initial installation, we need to do a lot of customization in order to have an effective cybersecurity program and deliver quality service to the client.

How was the initial setup?

The initial setup is straightforward, but we need to make some configurations afterward that can be a bit complex. The deployment time depends on the size, but it usually takes several months to ensure stability and requires two SIEM engineers.

What's my experience with pricing, setup cost, and licensing?

Splunk Enterprise Security is hardly affordable for most of our clients, causing many of them to resort to using open source solutions instead.

In addition to the licensing fee, there is also a support and maintenance charge.

What other advice do I have?

I would rate Splunk Enterprise Security an eight out of ten due to its high total cost of ownership, difficulties in maintenance, and the complexity of configuration immediately after deployment. 

Splunk Enterprise Security may not be cost-effective for small and even some medium-sized companies. While each organization has different requirements, we do recommend Splunk for medium and large organizations.

Organizations should take into account the complexity of their environment. For instance, if they have a purely vendor-based environment for their network security appliance, it may be easier for them to handle security, fabric, and architecture requirements. However, if they operate in a multi-vendor and mixed environment, they need to conduct more research on how to integrate various components. Often, they rush into negotiating their cybersecurity program without sufficient research, leading to potential problems for clients.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Kenny Corbett - PeerSpot reviewer
Associate Director of IT at Rigel Pharmaceuticals Inc
Real User
Provides risk scores and end-to-end visibility
Pros and Cons
  • "It provides a risk score for each object, device, or user. We can then take action if they are at a higher risk."
  • "The pricing can be better."

What is our primary use case?

Splunk Enterprise Security provides more visibility into endpoints in our environment.

How has it helped my organization?

We only monitor AWS, but we also have SaaS services that are in our own clouds. So far, it is easy to monitor our cloud environment with this solution. As long as we ingest our data correctly and tune it, it will read it. It is very easy to use.

It provides end-to-end visibility into our cloud-native environment. This is critical for us because we are always one step away from a security incident, which could impact the company and cost a lot of money. That is our main point of focus.

What is most valuable?

It provides a risk score for each object, device, or user. We can then take action if they are at a higher risk.

What needs improvement?

The pricing can be better.

For how long have I used the solution?

We have been evaluating Splunk Enterprise Security for the last eight months.

What do I think about the stability of the solution?

I cannot say anything about stability, but I am assuming it would be the same as Splunk. It is an app. It is going to work.

How are customer service and support?

The technical support is above average, but they do not go into the details, so we have a contract with a third party to help us.

There might be more Splunk support tiers, but we are working with SP6. They will get their hands directly onto our Splunk environment, whereas Splunk support does not do that. Maybe there is a different tier that does that, but we do not have that. It is more of an email dialogue. They are not going to VPN into our environment. SP6 is more hands-on. I would rate SP6 a nine out of ten.

Which solution did I use previously and why did I switch?

We did not use a similar solution. We have Carbon Black for endpoints, but this is going to be a lot bigger than that.

How was the initial setup?

We are still evaluating it. We have not deployed it yet, but I was involved with the deployment of Splunk. 

It was very easy to set it up for evaluation. It is just an installer file. It is an add-on app for Splunk, and if you know how to install Splunk and add-ons, it is easy.

What's my experience with pricing, setup cost, and licensing?

I am fine with the licensing, but in terms of the cost, it is expensive for the data that we have. We have an open discussion with our account rep about this.

Which other solutions did I evaluate?

We are not evaluating any solutions because we already have Splunk, and we do not want to leave Splunk. I like it, so it is just a matter of making the commitment.

What other advice do I have?

The value that I get from attending Splunk Conferences is going to sessions and learning about what other people are doing and use cases that I have not really thought of. Also, I am able to talk directly to people about questions I have regarding our Splunk instances, and I can get some answers right away. It is very good to know what people are doing because sometimes we do something one way, but we do not know if we are doing it the right way. Here, we can get validation, or realize that we are doing it wrong and make the necessary changes. That is very valuable.

I would rate Splunk Enterprise Security a ten out of ten. Most customers at the conference have already implemented it, except for our company. It is a critical foundation app that allows you to explore other apps that Splunk is grading, and it works.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Splunk Enterprise Security
March 2024
Learn what your peers think about Splunk Enterprise Security. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
Manager at a consultancy with 1-10 employees
Real User
Provides constant monitoring and good visibility, but is not user-friendly
Pros and Cons
  • "Compared to IBM QRadar, Splunk Enterprise Security offers faster alert resolution."
  • "Splunk has a steeper learning curve, making it feel less user-friendly."

What is our primary use case?

We use Splunk Enterprise Security for security correlation and event management.

Splunk Enterprise Security is deployed as a hybrid model where the core component is on the cloud and is integrated with an on-premises solution.

How has it helped my organization?

Splunk Enterprise Security offers strong visibility through readily available use cases and supports integrations with most standard log sources. Its search capabilities are also commendable. Compared to other tools, Splunk Enterprise Security delivers superior visibility.

While we haven't integrated UEBA yet, it's in our plans. As a proactive monitoring solution, UEBA offers several benefits. It can identify Indicators of Compromise based on historical threat intelligence and generate alerts for suspicious activities. This allows us to potentially detect compromised accounts or ongoing attacks before they cause significant damage.

Splunk offers its threat intelligence service, which helps prevent IP replication and malicious threats. This information can be integrated or configured for our specific use cases, delivering more relevant and high-value insights.

Threat topology and MITRE ATT&CK are frameworks used to understand and analyze attack patterns and techniques, which can then be used to formulate and refine IOCs.

Splunk Enterprise Security's effectiveness in analyzing malicious activities or detecting breaches depends heavily on its configuration and correlation settings. Therefore, it's impossible to definitively label any tool as inherently good or bad. Ultimately, its success hinges on the organization's implementation. This includes onboarding the tool with the appropriate block sources for security detection, employing a sound risk assessment methodology, and aligning the tool's capabilities with both business and security use cases. When configured correctly, Splunk Enterprise Security can undoubtedly contribute to improvements in MTTD and MTDL.

Splunk Enterprise Security helps us detect threats faster. It allows us to define use cases, integrate with multiple threat feeds, and even connect to vulnerability solutions. In essence, by configuring all relevant log sources and defining appropriate use cases, we can achieve the primary objective of any SIEM solution: reducing mean time to protection.

Splunk Enterprise Security has reduced our investigative time by 25 percent by consolidating all logs into a central console. This eliminates the need to log into individual tools for log retrieval.

Splunk Enterprise Security helps reduce the number of false positive alerts.

What needs improvement?

In terms of monitoring capabilities, Splunk Enterprise Security performs adequately. However, its user interface requires training for efficient use. Compared to competitors like IBM QRadar, McAfee Nitro, and RSA Security Analytics, Splunk has a steeper learning curve, making it feel less user-friendly.

For how long have I used the solution?

I have been using Splunk Enterprise Security for almost four months.

How are customer service and support?

We use a licensed third-party Splunk partner for support, and I haven't heard of any issues so far.

Which solution did I use previously and why did I switch?

Compared to IBM QRadar, Splunk Enterprise Security offers faster alert resolution. Its superior indexing and searching capabilities deliver quicker query results. While QRadar boasts a more user-friendly interface, Splunk provides numerous pre-built use cases that effectively reduce false positives and feature comprehensive application dashboards.

For instance, I encountered a use case unavailable in QRadar which appears to utilize the Cyber Kill Chain framework. MITRE ATT&CK enjoys wider adoption, and Splunk leverages this framework whereas QRadar persists with the Cyber Kill Chain. Additionally, Splunk integrates with a third-party app exchange, offering functionalities like vulnerability dashboards, threat intelligence, correlation dashboards, and EPS dashboards. This extensive library of applications caters to diverse business use cases. Users can install these applications as needed, making Splunk a highly customizable and feature-rich solution. Although undeniably expensive, its capabilities justify the cost.

What's my experience with pricing, setup cost, and licensing?

While Splunk is a powerful enterprise tool, I'm new to it myself. I've heard Splunk is often preferred over other options, but the cost can be prohibitive for smaller organizations.

There are cheaper SIEMs available, but they require much more manual configuration, typically by developers with scripting knowledge. Splunk does not require this manual configuration, and its parsing, indexing, and visibility are superior.

What other advice do I have?

Based on the limited time I have been using the solution and the feedback I have received from other users, I would rate Splunk Enterprise Security a six out of ten.

Without a SIEM solution, we rely on individual point solution consoles. For example, logging into a firewall reveals only local logs. Imagine the firewall detects suspicious IPs generating unusual traffic. Confirming this as a true or false positive is difficult solely based on firewall rules. Conversely, a SIEM offers multiple options for correlation. Say the firewall denies traffic, and threat intelligence identifies the source IP as malicious. Additionally, web server logs might show suspicious activity or bad actors attempting an attack. With multiple logs and threat indicators, the chance of false positives drops significantly. Correlation enables confirmation of genuine traffic versus malicious activity. Without a SIEM, pinpointing true attacks from false positives becomes challenging.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Security Analyst at a tech services company with 1-10 employees
Real User
Top 20
Good monitoring and visibility with helpful threat detection capabilities
Pros and Cons
  • "The solution helped reduce our alert volume."
  • "When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time."

What is our primary use case?

I have worked in a couple of areas of Splunk. Initially, I was part of a monitoring team that used it for security information. I used to monitor security alerts which we used to get on Splunk, which was based on the use cases and we set up specific rules for it. Currently, I am part of the administration of Splunk. Now I onboard different log sources to Splunk. We pass over the logs so that it can be used for the security team.

How has it helped my organization?

It helps with security and making sure our infrastructure is compliant. It also allows reporting to be in one centralized location. We can monitor the security logs effectively. It really helps as a cybersecurity element for the company infrastructure to protect us from attacks.

It is quite reliable in terms of data. We have a good amount of licenses currently and find it to be very flexible. It can handle and pull up any amount of data.

What is most valuable?

Splunk is very fast and user-friendly as well. The UI and design is user friendly. It is easy to understand. 

We can do a lot of things on Splunk. We can integrate a lot of other applications on Splunk. And that can be used for day-to-day security operations. It is easy to use, easy to implement, and it is fast. It is reliable.

Our organization monitors multiple cloud environments. We monitor all the infrastructure and cloud environments of clients.

It is easy to monitor multiple cloud environments with Splunk. You have to get clients onboarded to Splunk first, and then the monitoring part comes last. We have a couple of things that have to be done before the security team starts monitoring. For example, we install the agents and set up the hosting. We get the data from the host, we pass it. It is quite a lengthy process. It is easy, however, we have to do it very carefully and cautiously.

Splunk Enterprise Security provides visibility into different environments.

The solution's insider threat detection capabilities for helping our organization find unknown threats or anomalies in behavior are good. We have multiple security frameworks. For example, we have micro frameworks. There are different sets of rules. We set it. What Splunk does internally is just match the incoming logs. Based on the rules that we have set, it will match with the incoming logs. If it matches, then it will generate alerts for the security team. Based on that, we can identify if there is a potential threat trying to get into the company or internal infrastructure. 

The actionable intelligence provided in Splunk Enterprise Security is good. 

It will help us to automate things and can handle certain items on its own. It will just investigate, remediate, and close the necessary alert. If it is beyond Splunk's capability, then an investigation team will be involved in it. 

I have used the threat topology and attack framework feature, however, now I am more of an administrator.

Splunk Enterprise Security is good for analyzing malicious activities and detecting breaches. There are a couple of other tools as well, which do the same thing. However, with Splunk, it's very easy to work with the dashboard and do search queries. You can easily look through the logs via Splunk UI.

The solution helped reduce our alert volume. It will just minimize the false alerts, and just post positive alerts. It's likely reduced false alerts by 60%. A lot is automated now and that helps cut down on manual work.

The solution has helped to speed up our security investigations. Once again, the automation will speed up the process of investigation. It saves a lot of time for analysts as it allows them to see the initial data. If a team has multiple alerts, it will take them time to go through and check everything. However, Splunk does the initial investigation for analysts and will escalate to analysts as needed. It might have reduced security investigations by 80% compared to earlier versions. 

What needs improvement?

When we do a rollout from the server or host or anything, we'd like to see more automation. It would save us time. We wouldn't have to write anything. We would just like the raw log automation.

For how long have I used the solution?

I've been using the solution for three years now. 

What do I think about the stability of the solution?

It is a stable product.

What do I think about the scalability of the solution?

There are two types of users: the administrators and then the users where the logs are coming from. We have about ten to 15 administrators working directly with Splunk. Overall, there may be more than 1,000 end users we get logs from.

The solution is scalable. In terms of data, it's very flexible. 

How are customer service and support?

Technical support is good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I've used other solutions in the past. We previously used
ArcSight Enterprise Security Manager (ESM). It was older and very slow. Comparatively, Splunk is very fast and it has a better UI.

How was the initial setup?

The initial setup was easy. It was not complex. I didn't do the implementation on my own. The deployment times vary. There are many moving parts, such as approvals that need to be taken into consideration. 

We get logs from various sources from various clients.

It does require a bit of maintenance. It requires, for example, server upgrades and patching. 

What's my experience with pricing, setup cost, and licensing?

I can't comment on pricing. I don't take care of that aspect. 

What other advice do I have?

I'm a customer and end-user.

I'd recommend the solution to others and invite them to test the service first on the infrastructure they have. It's a very valuable product to have.

I'd rate the solution nine out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Staff application Security Analyst at a media company with 5,001-10,000 employees
Real User
Enables us to analyze security anomalies and research specific threats that we get on our network
Pros and Cons
  • "The solution has made us more secure."
  • "It takes time to train people."

What is our primary use case?

We use the product to analyze security anomalies and research specific threats that we get on our network.

How has it helped my organization?

The solution has made us more secure. It has given us the ability to address threats faster, with greater accuracy.

What is most valuable?

The availability of the data and the fact that we're able to collect a large amount of data into the system and analyze it is valuable to us. The product’s speed and availability make it really useful for us. I'm excited about the additional enhancements to the machine learning toolkit. To be able to use it more is exciting to me.

What needs improvement?

My organization needs more people to learn how to use the solution effectively. It takes time to train people.

For how long have I used the solution?

I have been using the solution for six years.

What do I think about the stability of the solution?

I have never seen any issues with the tool’s stability.

What do I think about the scalability of the solution?

Considering how much we have in place, I would assume that the solution’s scalability is pretty strong.

How are customer service and support?

I haven't had to go to Splunk directly for many things. Communicating with our success managers has been very positive.

How would you rate customer service and support?

Positive

What other advice do I have?

We need to improve our implementation. We're a pretty large customer of Splunk, so I think we do have a lot of resources available. Splunk has really good courses and availability. We need to get more people to be more familiar with the tool. The solution has helped us reduce our mean time to resolve. It really works well for us, and it helps us to look at our data more effectively.

Splunk has helped improve our organization’s business resilience. It's not just used for security. We have big use for it. It has definitely helped us prevent problems from occurring and identify them when they do. Splunk’s ability to predict, identify, and solve problems in real time is very strong. It works as well as we use it. There's a lot of value within the tool. It can be very powerful if used properly and if people are knowledgeable about it.

Splunk has a strong ability to provide business resiliency by empowering staff. I've been using it for as long as I've been with this organization. Compared to other solutions, Splunk is really strong.

I have seen time to value using this solution. I love using it. It’s a great tool. I cannot compare Splunk to other tools because I've been using it for as long as I've been with my current organization. In my previous organization, we didn't have big data, so we really didn't need the product. I am a consumer of the solution from a security perspective.

Overall, I rate the solution an eight or a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Tech Director at a government with 10,001+ employees
Real User
Increases observability, cuts security operations costs, and has amazing support
Pros and Cons
  • "The consolidated overview of all the events that come in through our environment and an easy-to-access interface for all our end users are valuable."
  • "I love the solution, but I would like to see more accessibility to the machine-learning capabilities that are sprinkled around Splunk."

What is our primary use case?

Our primary use case is SOC operations. However, we do have a lot of people sprinkled around that deal specifically with data analytics.

How has it helped my organization?

Splunk Enterprise Security definitely improved our organization. It has helped out with handling our SOC operations across the enterprise. It has increased observability exponentially as we build out the solution to support enterprise operations, and we definitely hope to see it evolve in the near future as well.

We manage multiple clouds. The Spunk solution for the cloud environment is a great asset for us, especially because we are able to get full observability of our cloud platforms in a consolidated environment. In terms of integrations, Splunk has so many integrations with our different cloud service providers, which allows us to easily get that data down to our operators.

We run a global operation, so we have to have observability across the board. Splunk allows our operators to quickly gain insights into the global operation so that they can handle the day-to-day activities that they do, which includes the security analysts' work, data analysts' work, or anything along the lines of handling troubleshooting.

It has reduced our operation time, and it has cut time by more than half. 

It has improved our organization’s business resilience. It has helped with disaster recovery and continued operations in the event of disaster recovery.

It has been an extremely good asset to support day-to-day activities for operations. It is something that was required and needed for over a decade now. It is definitely a nice change of pace, and it also improves the quality of service that our operators can provide to our customers and clientele.

It has cut our costs when it comes to running security operations. I do not have the exact numbers, but it has been a significant cut, especially because we have better access to data engineering and data scientists' tool sets to cut the data cost.

What is most valuable?

The consolidated overview of all the events that come in through our environment and an easy-to-access interface for all our end users are valuable. As we get more people onboard, it is important that they are able to easily jump onto the platform and understand what they need to see in our environment. Having that quick operational capability allows us to get our observability up to speed as fast as possible.

What needs improvement?

I love the solution, but I would like to see more accessibility to the machine-learning capabilities that are sprinkled around Splunk.

For how long have I used the solution?

We have been using Splunk Enterprise Security for about a good five years.

What do I think about the stability of the solution?

It is probably one of the most resilient tools in our environment, so I really enjoy what it provides us. It definitely provides us that 24/7 accessibility to our environment.

What do I think about the scalability of the solution?

The scalability is exactly what we needed to make sure that we have observability at the global scale. For global operations, Splunk has great scaling features to make sure that it is able to handle the large volume of data that we handle.

How are customer service and support?

Splunk's support is great and amazing. The people we work with in our corporate environment are top-tier experts. They understand our environment very well, especially because they have worked in our environment before, so Splunk has done a great job in getting that type of talent to support their customers. I would rate them a ten out of ten.

How would you rate customer service and support?

Positive

How was the initial setup?

I was not involved in its deployment. I adopted it after I took this role.

What was our ROI?

We have seen a significant return on investment when it comes to Splunk, especially because of how it has allowed our operators to quickly respond to events on a day-to-day basis. It has allowed global observability.

There has definitely been a time to value. It comes down to having operators have access to such a unified platform.

What's my experience with pricing, setup cost, and licensing?

From what I have seen so far, Splunk has multiple cost models. The one that we are using is pretty good when it comes to ingesting data into the environment. It has worked out pretty well.

Which other solutions did I evaluate?

We have evaluated other solutions, and Splunk definitely comes out as one of the top competitors due to its interoperability with a lot of data sources that are sprinkled around in our environment. This interoperability is a key piece because we have such a diverse asset environment.

What other advice do I have?

Overall, I would rate Splunk Enterprise Security a ten out of ten.

The biggest value I get from Splunk conferences is being able to interact with my peers throughout our organization. I get an idea of what they are doing to make sure that we are on the same page and that we are able to cohesively build our security operations.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Cyber Security Engineer at a university with 5,001-10,000 employees
Reseller
The analytical features helped us reduce our alert volume by 30 to 40 percent
Pros and Cons
  • "I like Splunk's data aggregation and search capabilities."
  • "Splunk could add more ways to manage archiving and storage. There isn't a web interface. You can do this on the SaaS version, but the on-premise platform doesn't have this option. It has other things but no option for remote NAS. I would like to have a personal web interface where I can specify how long logs should be stored. To have this readily available on the web, you need to adjust some settings on the backend. That is tricky."

What is our primary use case?

Splunk Enterprise Security is a SIEM solution we use for security compliance and threat detection. 

How has it helped my organization?

Splunk helped us fulfill our requirements for security compliance and auditing. It also protects us from attacks. We can quickly notify our customers if they are facing any attack or breach. 

The solution's analytical features helped us reduce our alert volume by 30 to 40 percent. Splunk significantly speeds up our security investigations. 

What is most valuable?

I like Splunk's data aggregation and search capabilities. The insider threat detection features are handy, and Splunk's user behavior analytics are solid. It's one of the best tools for UBA. It covers everything. 

Splunk's Threat Intelligence Management draws from 10 to 15 open-source sites in real-time, enabling us to correlate our data with the IOCs. It helps us detect zero-day attacks. Splunk's threat topology and MITRE ATT&CK framework cover everything, including endpoints and application security from Layer 3 to Layer 7. Most queries are available out of the box. 

It's a fantastic tool for monitoring your environment. It allows you to do some granular analysis and see which assets are part of an attack. When breaches occur, you can quickly search your entire environment. It speeds up our threat-hunting process. 

What needs improvement?

Splunk could add more ways to manage archiving and storage. There isn't a web interface. You can do this on the SaaS version, but the on-premise platform doesn't have this option. It has other things but no option for remote NAS. I would like to have a personal web interface where I can specify how long logs should be stored. To have this readily available on the web, you need to adjust some settings on the backend. That is tricky. 

For how long have I used the solution?

I have used Splunk Enterprise Security for four years. 

What do I think about the stability of the solution?

I rate Splunk Enterprise Security nine out of 10 for stability.

What do I think about the scalability of the solution?

I rate Splunk Enterprise Security nine out of 10 for scalability.

How are customer service and support?

I rate Splunk support eight out of 10. 

How would you rate customer service and support?

Positive

How was the initial setup?

Deploying Splunk is straightforward, but it requires some preparation. After you get your platform ready, the onboarding is easy. It isn't rocket science. Configuring visualization is also simple. It doesn't require much maintenance on our end because we have an SLA. 

What's my experience with pricing, setup cost, and licensing?

I work on the technical side, so I don't know precise figures. However, I know that Splunk is a premium product, so it's somewhat costly. Still, you get a lot of unique features for the money. 

You can choose the cheapest solution, but that will only help you achieve compliance in the near term. However, over time, you will begin to realize that there are so many security gaps that your team can't address. You need a solution like Splunk to maintain long-term security compliance. 

What other advice do I have?

I rate Splunk Enterprise Security 10 out of 10. My advice to Splunk users is to keep it simple. You don't need to complicate things or bring in AI and ML. Focus on the fundamentals like data onboarding and extraction, parsing, visualization, etc. Keep your dashboard simple, so it's easy for the end-user to understand. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Owner at a computer software company with 1-10 employees
Real User
Top 20
Offers advanced threat detection, robust log management and powerful analytics to enhance organization's cybersecurity posture
Pros and Cons
  • "The most valuable features for us include its robust log management capabilities, which allow us to efficiently handle and retain logs for extended periods as needed."
  • "I find that the learning curve for Splunk is relatively lengthy."

What is our primary use case?

The primary focus of our work with Splunk is on security incident monitoring and security log monitoring. This involves utilizing it to analyze and respond to security events effectively. Additionally, compliance with regulatory requirements is another crucial aspect of your role. We also extend Splunk's functionality to custom applications by writing custom parsers and handling logs specific to those applications. This includes the development of unique dashboards tailored to the needs of each application.

How has it helped my organization?

Splunk's capabilities in insider threat detection are highly effective in assisting organizations in identifying unknown threats and anonymous user behavior. The sophistication of these features is notable, making them suitable and beneficial across a range of organizational sizes, from small businesses to large enterprises.

The threat topology and MITRE ATT&CK features are seamlessly integrated as complementary components within Azure.

It significantly accelerated security investigations, and I believe the improvement falls within the range of twenty to thirty percent.

The resilience provided by SIEM adds significant value; it is highly effective.

What is most valuable?

The most valuable features for us include its robust log management capabilities, which allow us to efficiently handle and retain logs for extended periods as needed. The flexibility to customize log retention periods is particularly beneficial. Additionally, we find the dashboard functionality and the advanced query language options to be highly valuable. These features, especially the powerful query language, are extensively utilized in our day-to-day operations.

What needs improvement?

I find that the learning curve for Splunk is relatively lengthy. To utilize it effectively, one needs a substantial amount of time for learning. I might appreciate a learning curve that comes with more out-of-the-box functionality, such as easily installable Splunk apps or user-friendly features.

For how long have I used the solution?

I have been working with it for three years.

What do I think about the stability of the solution?

I find it to be highly stable, and I would rate it a solid ten out of ten.

What do I think about the scalability of the solution?

I would rate its scalability capabilities ten out of ten.

Which solution did I use previously and why did I switch?

Before using Splunk, I relied on the built-in tools of Linux operating systems, such as Syslog NG, but specifically the open-source versions. I haven't had experience with the commercial version of Syslog NG, which is a more advanced tool. In this category, Splunk is essentially my first exposure to such advanced features.

How was the initial setup?

Setting up Splunk is quite straightforward, especially for basic configurations. The process is not overly complicated. While a cluster implementation may require more advanced steps, the basic setup is generally easy to handle.

What about the implementation team?

I handled the deployment independently, but the required personnel depends on the organization's size and the expected outcomes. For larger organizations, especially when the new tool integrates with various departments like operations, development, and security, it becomes a collaborative effort. In such cases, it's not a one-person job and involvement from multiple departments is essential. However, for smaller companies, the process is less complicated. It involves coordinating with support and developer teams to communicate the implementation, and the focus is on providing the necessary outputs from the tool to support their ongoing work effectively.

I utilized it in a single, non-geographically dispersed location. My experience is limited to a single site, and I haven't worked on a multi-site installation.

While it can run stably for a certain period, eventually, there is a need to manage or archive logs, especially if your background storage is not unlimited, as is often the case in these scenarios.

What was our ROI?

The return on investment is quite favorable with Splunk, particularly for large enterprises that have made the initial purchase and possess the requisite expertise and technical support.

What's my experience with pricing, setup cost, and licensing?

In terms of pricing, I believe Splunk is unreasonably costly for the majority of mid and small-sized companies. Its real advantages, or what sets it apart, seem to be more suitable for large enterprises.

What other advice do I have?

For the market I focus on, which includes small to medium-sized companies, I would recommend Wazuh. It's an open-source security information and event management solution. The main consideration is that, in terms of both functionality and cost, Wazuh is sufficient for the requirements of smaller enterprises. Utilizing an open-source tool like Wazuh can effectively cover the necessary areas without the need for the higher costs associated with Splunk.

I would recommend that anyone considering implementing Splunk should first thoroughly assess their environment. It's crucial to determine whether Splunk is genuinely needed for your specific usage scenario or if a smaller software solution might suffice. Overall, I would rate it nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2024
Buyer's Guide
Download our free Splunk Enterprise Security Report and get advice and tips from experienced pros sharing their opinions.