ES from a consultants perspective
Overall Satisfaction with Splunk Enterprise Security (ES)
As a consultant and instructor, I've used ES for a wide variety of purposes, from standard security to compliance, and lately Risk-Based assessment. ES is configurable for many use cases, and since it is built on Splunk, it can be extended to include any type of use that we can do in a search or dashboard.
Pros
- Piece together the actual trail of an incident event by using all of the logs from each system.
- Correlate indicators of compromise that otherwise may be left. Instead of failing 3 times to log on, smarter systems will fail once, leave, and then return an hour later, or go to a different machine. All of that behavior stands out when you are searching across the enterprise.
- ES lets you pivot outside of the pre-canned items to perform searches of the data. That way, when you think you've found something you can chase down the assumptions.
- Searching at scale. There is something to be said for systems that can handle enterprises without having to perform shortcuts.
- Extensibility. Any time we come up with new use cases we can make correlation searches (think rules) or dashboards that let us keep the work so we won't have to repeat it in the future.
Cons
- It is coming along, but alert fatigue is a real issue in SIEMs. Better logic on RBA and even some ML to bring the most likely issues to the forefront would be great.
- Machine Learning algorithms out of the box. Several correlation searches use ML algorithms for grouping. I'm hoping we see the ML integrate more with better algorithms without requiring the users to be solid with ML.
- AI, or AIOPS if you prefer, to help perform initial triage based upon past choices would be great. Have we always closed similar findings, then why keep bringing them?
- Piece of mind knowing what is happening in the enterprise and what the level of threat is.
- Faster finding of resolution over other SIEMs due to SPLs power
- Completeness. Having all the data means being less likely to have holes. Only collecting some data would lead to gaps in visibility.
Flexibility, the power of the search language, the amount of premade content put ES above.
Do you think Splunk Enterprise Security (ES) delivers good value for the price?
Yes
Are you happy with Splunk Enterprise Security (ES)'s feature set?
Yes
Did Splunk Enterprise Security (ES) live up to sales and marketing promises?
Yes
Did implementation of Splunk Enterprise Security (ES) go as expected?
Yes
Would you buy Splunk Enterprise Security (ES) again?
Yes
Comments
Please log in to join the conversation