OpenText EnCase Endpoint Security vs. Splunk User Behavior Analytics

It is more suited to environments that have a large internal user base since there will be more incidents that require forensic analysis. It will be less suited for environments that have a small internal user base due to the fact that there would be fewer incidents that require forensic analysis, but it really depends on the industry that a small internal user base is a part of.

Incentivized

Splunk User Behavior Analytics application is necessary when any company wants to capture the threat based on user behavior instead of just counting the number of occurrences of particular event. With Splunk UBA, we can analyse number of anomalies captured and which in turn creating threats which are nearly true positive.

Incentivized

• Functionality meets minimal requirements, since it performs forensic investigations as advertised.

Incentivized

• Monitor and troubleshoot for any system errors.
• Get the insights on application data sets and do some predictive analysis.

Incentivized

• Their UI definitely needs to be more user-friendly, right now it is very cumbersome to run and view investigations.
• Authentication mechanism should be a simple username/password, not certificate-based which is difficult to manage.
• Needs better support documentation for the product, it is difficult to find solutions to issues that we run into.

Incentivized

• Performance-wise, it can be improved. Queries take a long time.
• Dataset exploration - More data visualization charts can be added.

Incentivized

Because support is non-existent whenever you have a functionality issue using the product. Also since the UI is so cumbersome to use we could use as much support as possible. Whenever we ask for support we are told to take the training which costs us more money. I believe that support should be easily accessible and affordable for the client

Incentivized

The other forensic tool that is a direct competitor to EnCase and wasn't listed above is the Forensic Toolkit or FTK. I believe that FTK is a better tool overall simply because it is easier to manage and use when it comes to investigations. Unfortunately, I wasn't part of the decision process and EnCase was the tool selected, otherwise, I would have recommended FTK.

Incentivized

Easier we were using Splunk Enterprise on heavy forwarder on which all the add-on were installed and were using Splunk Cloud with respect to search head and indexers stack. And with Splunk Enterprise Security premium app, we were relying on correlation rules which were throwing more number of false positive but after implementing Splunk UBA, we are now getting real-time true positive threat or incidents.

Incentivized

• One negative impact would be that since the UI is cumbersome to use we would need to spend more money on training which is not always feasible.
• Another negative impact would be that since there is not much support available this slows down investigations due to finding out how to troubleshoot and fix functionality issues.
• One positive impact would be that since it meets minimal requirements when it comes to forensic analysis it gives us visibility on any malicious activity occurring on a user's endpoint.

Incentivized

• Fewer team members to work on real threats.
• Less time required to deal with real incidents.
• Easy to implement across the network.

Incentivized