Item: Splunk Enterprise Security (ES)
Rating: 9
Author: Stefanie Gunter

Use Cases and Deployment Scope

We utilize Enterprise Security at my organization to provide Enterprise Security Overview briefing on a weekly basis. Enterprise Security has been proven useful when understanding the security "health" of our organization. We don't currently utilize the investigative features of Enterprise Security, mostly due to the lack of resources. (I'm the sole Splunk Admin).

Pros and Cons

Detecting events of interest that could be security risks
Once set up, Enterprise Security is almost a full SIEM
Providing a birds-eye view of the Security posture of an organization
Integrating with IDS/IPS, Vulnerability Scanners, and other databases to enrich your data.

The initial setup could be more user-friendly. After a year of working with the organization, I still do not have ES fine-tuned. While we could pay to have Professional Services come out and spin up everything, it's not fair to have purchased a product like Enterprise Security and receive little to no instruction on setting it up. What does fine-tuning your notable events look like? What data should be mapped to the data models? What do I do when an ES index is not populating? If my Identity notables are not populating, where do I look? What does a healthy asset & identity manager look like?
I've placed tickets into Splunk Support for issues like these and to be fair, a premium product like Splunk does not offer premium support.

Return on Investment

Faster MTTD mostly

Security Analytics

Enterprise Security is not the only risk-based alerting software we have at our company. However, we feel like the best defense is defense-in-depth. Enterprise Security really excels in utilizing Machine Learning and correlational searches to understand what our network is like - and then respond accordingly. We still do receive many false positives and as I learn with Enterprise Security we will learn to fine-tune those events.

Scalability

I feel like Enterprise Security is only as good as the quality of data you ingest. It takes a lot of prep work in order to have a fully working/trustworthy SIEM product. The flexibility is great and as I've mentioned before, Enterprise Security is well suited to any organization - big or small. As long as that organization can provide the proper resources and data that Enterprise Security needs... Everything will be great!

Alternatives Considered

Enterprise Security was already purchased before I started my position as a Splunk Administrator. It was never fully set up until I started with the company.

Key Insights

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security (ES) go as expected?

Would you buy Splunk Enterprise Security (ES) again?

Yes

Likelihood to Recommend

Splunk Enterprise Security could be used for a broad array of organizations. We have entered the data age where data is gold. Splunk Enterprise Security allows you to work in tandem with Splunk to notify on Interesting/Notable events. If a company has the resources to dedicate a full team (more than one person) I believe any organization will appreciate what Splunk Enterprise Security has to offer. Enterprise Security is more of an investment to protect your data.

Thoughts from a Splunk Administrator - Who had zero Splunk experience before starting!

Overall Satisfaction with Splunk Enterprise Security (ES)