Item: Splunk Enterprise Security (ES)
Rating: 10
Author: Michael Simko

Use Cases and Deployment Scope

As a consultant and instructor, I've used ES for a wide variety of purposes, from standard security to compliance, and lately Risk-Based assessment. ES is configurable for many use cases, and since it is built on Splunk, it can be extended to include any type of use that we can do in a search or dashboard.

Pros and Cons

Piece together the actual trail of an incident event by using all of the logs from each system.
Correlate indicators of compromise that otherwise may be left. Instead of failing 3 times to log on, smarter systems will fail once, leave, and then return an hour later, or go to a different machine. All of that behavior stands out when you are searching across the enterprise.
ES lets you pivot outside of the pre-canned items to perform searches of the data. That way, when you think you've found something you can chase down the assumptions.
Searching at scale. There is something to be said for systems that can handle enterprises without having to perform shortcuts.
Extensibility. Any time we come up with new use cases we can make correlation searches (think rules) or dashboards that let us keep the work so we won't have to repeat it in the future.

It is coming along, but alert fatigue is a real issue in SIEMs. Better logic on RBA and even some ML to bring the most likely issues to the forefront would be great.
Machine Learning algorithms out of the box. Several correlation searches use ML algorithms for grouping. I'm hoping we see the ML integrate more with better algorithms without requiring the users to be solid with ML.
AI, or AIOPS if you prefer, to help perform initial triage based upon past choices would be great. Have we always closed similar findings, then why keep bringing them?

Return on Investment

Piece of mind knowing what is happening in the enterprise and what the level of threat is.
Faster finding of resolution over other SIEMs due to SPLs power
Completeness. Having all the data means being less likely to have holes. Only collecting some data would lead to gaps in visibility.

Scalability

Splunk can search huge datasets. I'd give a perfect 10 if we had enough trained source types, but will go 9 as I've seen environments that were set up, but the getting data incorrectly part wasn't complete. That's not Splunk's fault, but perhaps we could have more ways to help to get that taken care of so the customer doesn't need to be quite as good at Splunk.

Alternatives Considered

ArcSight Intelligence and IBM Security QRadar

Flexibility, the power of the search language, the amount of premade content put ES above.

Key Insights

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security (ES) go as expected?

Yes

Would you buy Splunk Enterprise Security (ES) again?

Yes

Likelihood to Recommend

ES is well suited to the SOC with some Splunk expertise. With that, the customization can take ES to the next level. Security threats change and ES can morph to fight the new issues, but it will take some care and feeding. ES isn't particularly well suited to the SOC that won't work to customize or extend it. For those cases, perhaps a security MSP can assist?

ES from a consultants perspective

Overall Satisfaction with Splunk Enterprise Security (ES)