Check Point Software Technologies provides threat intelligence via the Check Point ThreatCloud.
N/A
Splunk Enterprise Security (ES)
Score 8.5 out of 10
N/A
Splunk Enterprise Security (SIEM) is the company's flagship SIEM product, offered as a premium service to subscribers of Splunk Cloud or Splunk Enterprise.
If you have the Check Point environment and want to utilize the Checkpoint environment, you should use the [Check Point] ThreatCloud. Without [Check Point] ThreatCloud, there’s no way to stop the 0days or APTs. However, [Check Point] ThreatCloud relies on the Checkpoint infrastructure to be used and integrated. If you have other firewall and/or endpoint vendors, [Check Point] ThreatCloud is not the best service to be used. Checkpoint also offers 24x7 threat cloud-managed security services to [...] organizations. Threat cloud-managed security services leverage the threat cloud decreasing the detection time and false-positive rates via increasing protection rates.
Splunk ES exceptionally suits large organizations with complex IT environments that require real-time monitoring and threat detection across multiple data sources, including databases and cloud platforms. Besides, it is best fit for organizations with a dedicated security team that can effectively configure and customize the product to their specific needs. Splunk ES is well-suited for organizations that require extensive reporting and analytics capabilities, especially those related to compliance with industry regulations such as PCI DSS or HIPAA. However, it may be less appropriate for smaller organizations with limited budgets and fewer IT resources, as the cost and complexity of the product may not be justified.
Its best feature is its user interface, which is easy to navigate and understand. All you need is a little tutorial on how to use the Splunk query language and you're done.
Logs can be easily uploaded or shared across multiple platforms and display a highly insightful graphical representations of data using graphs, tables, and many other formats.
ES on the cloud (SaaS) has too many limitations with platform administration.
Supported integrations are not always on par with enterprise support especially when dependent on 3rd-party proprietary APIs.
In later versions, unforeseen glitches seem to show up that have no resolution except version upgrade. This used to not be the case in prior versions which were very stable.
You definitely need to learn how to use Splunk to get the most of the tool. There are many courses available for free to get up to speed on the usability of the tool but it's not that simple. It will take time to digest all the data and to understand how to query for what you are looking for.
ES requires a very performant infrastructure: if it has it's performant, otherwise not. I had situation with a very performant infrastructure and I didn't notized that it was a distributed architecture, it seemed that there ware few data on my PC, othewise I experienced less performant infrastructures with less performaces.
It's good when it's responsive, but I've had times where I had to wait quite a while for a response. But these are typically the exceptions rather than the rule. When you do get a response it is always well-informed and appropriate. I would say they've been trending better over time with this.
I experienced only on-line training, but the trainers were very professional and competent. Maybe it could be more useful if they also have an experience in projects because sometimes they didn't have a real project experience to communicate to the students. Anyway, it was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself, aven if I have more than 10 years of Splunk activity experience.
It was very interesting and I learned many thing that's very difficoult (or maybe impossible!) to have by myself. The only problem was that, when I worked with the Splunk Professional Services, I found some difference between the training contents and the information from PS. In addition is required a long experience on Splunk Enterprise for the data ingestion part, in other words I'm able to work with ES because I'm worling on Splunk since 11 years, otherwise I'd some problem.
As Checkpoint next generation firewalls were already implemented in the network, ThreatCloud was easy to implement and had better features and reputation than competitors
- Schema on the fly indexing --> Gives you faster index searches. Even if you use Datamodes, it's 100x time faster as well. - Correlation with other domains easily gives you total visibility and reduces the time to investigate and understand the problem. - With lookups and trust, you can easily ingest your TI platforms and look for backlog and real-time data. - Splunkbase - RBA is using unsupervised learning also, so it's not like Qradar or McAfee. If we look at Qradar or McAfee, they are giving some magnitude values with static rules and define incident levels with that. - Advanced investigation option and out-of-box security metrics tell you that where you are.
for my exterience, unit pricing and billing frequency are correct. As I already said, I hint to have more discount flexibility, expecially with new customers, because there are competitors less expensive and very aggressive that are dangerous. In addition the possibility to don't pay the license for the development period could be a very interesting feature for the final customers.
Splunk Enterprise Security deployment is quite flexible which many deployment modes are available. Configuration and management can be centralized at the cloud console which is very convenient for administrators. With the cloud deployment, it can reduce the possibility of hardware failure which can have better uptime. Most of the configurations can be deployed easily from the management console.
I had a fantastic experience with Splunk Professional Services: they worked with us in our last SON project (a SOC migration for a very large customer) and helped to build a multi tenent environment even if ES isn't a multi tenant platform. Th Splunk PS was a very professional and competent people, he is italian and was able to speak with our italian customers.
High score rates [are] seen on breach systems after deploying systems integrated with [Check Point] ThreatCloud
Catch rates are very high compared to other vendors
One missing thing is the detection for localized URLs and IPs
Purchasing within the 3-year perspective is cheap compared to other solutions; ROI is generally six months
[Check Point] ThreatCloud eliminates the need [for] other additional services that may need to be deployed like dedicated IPS, Dedicated Sandbox, DNS solution, etc.
ES has highly impacted ROI because as the customer of the ES the work we do for creating use cases for clients in terms of security-related aspects by their logs has given more return than investment.
The correlation searches we run to get detailed results from the Data models are very less time-consuming than Splunk Enterprise itself we can get quick responses to the use cases and dashboards populated because of ES.
The CIM compliance feature is ES has made more jobs easy in the terms of finding more Authentication related data we can get data onboarded in the Email data model from O365 and search is email data model instead of searching for particular indexes.
