ES from a consultants perspective
February 08, 2022

ES from a consultants perspective

Michael Simko | TrustRadius Reviewer
Score 10 out of 10
Vetted Review

Overall Satisfaction with Splunk Enterprise Security (ES)

As a consultant and instructor, I've used ES for a wide variety of purposes, from standard security to compliance, and lately Risk-Based assessment. ES is configurable for many use cases, and since it is built on Splunk, it can be extended to include any type of use that we can do in a search or dashboard.

Pros

  • Piece together the actual trail of an incident event by using all of the logs from each system.
  • Correlate indicators of compromise that otherwise may be left. Instead of failing 3 times to log on, smarter systems will fail once, leave, and then return an hour later, or go to a different machine. All of that behavior stands out when you are searching across the enterprise.
  • ES lets you pivot outside of the pre-canned items to perform searches of the data. That way, when you think you've found something you can chase down the assumptions.
  • Searching at scale. There is something to be said for systems that can handle enterprises without having to perform shortcuts.
  • Extensibility. Any time we come up with new use cases we can make correlation searches (think rules) or dashboards that let us keep the work so we won't have to repeat it in the future.

Cons

  • It is coming along, but alert fatigue is a real issue in SIEMs. Better logic on RBA and even some ML to bring the most likely issues to the forefront would be great.
  • Machine Learning algorithms out of the box. Several correlation searches use ML algorithms for grouping. I'm hoping we see the ML integrate more with better algorithms without requiring the users to be solid with ML.
  • AI, or AIOPS if you prefer, to help perform initial triage based upon past choices would be great. Have we always closed similar findings, then why keep bringing them?
  • Piece of mind knowing what is happening in the enterprise and what the level of threat is.
  • Faster finding of resolution over other SIEMs due to SPLs power
  • Completeness. Having all the data means being less likely to have holes. Only collecting some data would lead to gaps in visibility.
Splunk can search huge datasets. I'd give a perfect 10 if we had enough trained source types, but will go 9 as I've seen environments that were set up, but the getting data incorrectly part wasn't complete. That's not Splunk's fault, but perhaps we could have more ways to help to get that taken care of so the customer doesn't need to be quite as good at Splunk.
Flexibility, the power of the search language, the amount of premade content put ES above.

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security (ES) go as expected?

Yes

Would you buy Splunk Enterprise Security (ES) again?

Yes

ES is well suited to the SOC with some Splunk expertise. With that, the customization can take ES to the next level. Security threats change and ES can morph to fight the new issues, but it will take some care and feeding. ES isn't particularly well suited to the SOC that won't work to customize or extend it. For those cases, perhaps a security MSP can assist?

Splunk Enterprise Security (ES) Feature Ratings

Centralized event and log data collection
10
Correlation
10
Event and log normalization/management
8
Deployment flexibility
4
Integration with Identity and Access Management Tools
4
Custom dashboards and workspaces
10
Host and network-based intrusion detection
2
Log retention
10
Data integration/API management
4
Behavioral analytics and baselining
4
Rules-based and algorithmic detection thresholds
7
Reporting and compliance management
8
Incident indexing/searching
8

Comments

More Reviews of Splunk Enterprise Security (ES)