The 1E Tachyon single agent and platform is a remote endpoint management solution designed to significantly improve IT’s ability to support the Work From Anywhere Enterprise. It provides endpoint diagnostics and remediation, end-user experience management and monitoring, and service delivery for ServiceNow ITSM.
N/A
Splunk Enterprise Security (ES)
Score 8.4 out of 10
N/A
Splunk Enterprise Security (SIEM) is the company's flagship SIEM product, offered as a premium service to subscribers of Splunk Cloud or Splunk Enterprise.
When we are needing to patch workstations for zero-day vulnerabilities or security risks, Tachyon Explorer is our go-to tool to push out those settings quickly. We have a Tachyon server stood up in our DMZ to communicate with the workstations outside of our VPN, so we can push those settings or patches to devices without needing them to attach to our network. It's really nice to be able to communicate with the computers that rarely connect to our corporate network and ensure that they are still protected. We do have the 1E Client installed on all of our internal servers in order to get inventory and licensing information, but we don't typically utilize the Tachyon software on the servers for much else. A different team handles those computers and often requires change management, so expedited changes don't happen often there. Standard deployment and patching tools do the job.
Well suited: Splunk ES is highly recommended in an environment with many data sources and experienced computer engineers. It has a steep learning curve, but once that hurdle is crossed, it is absolutely a beast. It is also very expensive, so a company putting a high amount of budget in Security is needed. Not well suited: Splunk ES is not recommended if a company has only a few sources and some non-technical IT users. The price won't justify the fewer data sources and scratching just the surface level. Moreover, non-technical IT users would be better off with something that has a query builder, unlike Splunk.
Advanced Threat Detection and Correlation: ES stands out in its ability to detect sophisticated threats by correlating data from multiple sources. For instance, it can identify unusual patterns in user behavior, cross-referencing with network logs to flag potential insider threats.
Real-time Monitoring and Alerting: ES offers robust real-time monitoring capabilities. It excels in promptly alerting us to critical security events, such as suspicious network traffic spikes or unauthorized access attempts, allowing for immediate response.
Comprehensive Log Analysis: ES ingests and analyzes an extensive range of log data. It's particularly adept at parsing and making sense of complex log formats, making it a versatile tool for understanding system activities and security events.
They currently don't have all of their products incorporated into the Tachyon web interface, meaning that we need a separate administration console for using their Shopping product.
The 1E Tachyon Exchange is an online repository for common or useful instructions, but it is still a bit lacking. New instructions aren't published very often.
Writing your own custom instructions for Tachyon Explorer has a bit of a learning curve if you aren't already familiar with SQL queries or their SCALE language. There is published documentation for SCALE, but I'd like to see them add a basic functionality course to their online training portal.
ES on the cloud (SaaS) has too many limitations with platform administration.
Supported integrations are not always on par with enterprise support especially when dependent on 3rd-party proprietary APIs.
In later versions, unforeseen glitches seem to show up that have no resolution except version upgrade. This used to not be the case in prior versions which were very stable.
1E Tachyon has plenty of features and functionality right out of the box. They offer a Tachyon Exchange web portal where you can go to download new Tachyon product packs as they become available through consulting engagements and customer requests. Sometimes you might need to do something more specific or customized than what is available to everyone, and that's when your own knowledge is put to the test. Being able to write your own SCALE code would be invaluable, but takes a while to learn if you aren't already familiar with SQL, PowerShell, or a few other popular languages. Making it your own can definitely take some work, but it's worth it in the end.
You definitely need to learn how to use Splunk to get the most of the tool. There are many courses available for free to get up to speed on the usability of the tool but it's not that simple. It will take time to digest all the data and to understand how to query for what you are looking for.
ES requires a very performant infrastructure: if it has it's performant, otherwise not. I had situation with a very performant infrastructure and I didn't notized that it was a distributed architecture, it seemed that there ware few data on my PC, othewise I experienced less performant infrastructures with less performaces.
It's good when it's responsive, but I've had times where I had to wait quite a while for a response. But these are typically the exceptions rather than the rule. When you do get a response it is always well-informed and appropriate. I would say they've been trending better over time with this.
I experienced only on-line training, but the trainers were very professional and competent. Maybe it could be more useful if they also have an experience in projects because sometimes they didn't have a real project experience to communicate to the students. Anyway, it was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself, aven if I have more than 10 years of Splunk activity experience.
It was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself. The only problem was that, when I worked with the Splunk Professional Services, I found some difference between the training contents and the information from PS. In addition is required a long experience on Splunk Enterprise for the data ingestion part, in other words I'm able to work with ES because I'm worling on Splunk since 11 years, otherwise I'd some problem.
Microsoft has good intentions, but they are often late to the table. On more than one occasion, we have seen Microsoft incorporate a new feature into their own products, but it's something that 1E had already been offering for a year or more. By the time Microsoft adds a new feature, it has already been in our 1E toolbox and even then doesn't seem to have all of the additional functionality that we get from the 1E software. Currently, we're starting to see Microsoft's push for endpoint performance analytics, which 1E Tachyon has already done impressively for some time now.
Splunk enterprise is the only solution that we’ve been able to identify that provides risk based alerting, which allows our SOC to reduce analyst fatigue which would be a huge problem without it. Before RBA, there were thousands of alerts a day and it was impossible to review all of them
for my exterience, unit pricing and billing frequency are correct. As I already said, I hint to have more discount flexibility, expecially with new customers, because there are competitors less expensive and very aggressive that are dangerous. In addition the possibility to don't pay the license for the development period could be a very interesting feature for the final customers.
- 8 out of 10 and took 2 for the data pipeline and administration part. Even if you'd like to improve yourself or your team, you have to pay a lot of money and it could be more than GIAC education + cert. - Normalization for Data models and CPU-based searches can be a problem sometimes.
I had a fantastic experience with Splunk Professional Services: they worked with us in our last SON project (a SOC migration for a very large customer) and helped to build a multi tenent environment even if ES isn't a multi tenant platform. Th Splunk PS was a very professional and competent people, he is italian and was able to speak with our italian customers.
Being able to deploy configuration changes while devices are off-network was a real-life-saver for us during the sudden work-from-home scenarios we faced during the pandemic.
Reclaiming unused software licenses has provided some additional budget to use towards other products, and helps us to justify the cost of what we already have.
Using Experience to proactively troubleshoot performance issues not only reduces the number of help desk tickets but also provides a better work environment for our employees.
ES has highly impacted ROI because as the customer of the ES the work we do for creating use cases for clients in terms of security-related aspects by their logs has given more return than investment.
The correlation searches we run to get detailed results from the Data models are very less time-consuming than Splunk Enterprise itself we can get quick responses to the use cases and dashboards populated because of ES.
The CIM compliance feature is ES has made more jobs easy in the terms of finding more Authentication related data we can get data onboarded in the Email data model from O365 and search is email data model instead of searching for particular indexes.
