Item: Splunk Enterprise Security (ES)
Rating: 8
Author: Verified User

Use Cases and Deployment Scope

We utilize Splunk Enterprise Security to collect our logging into a centralized platform then, off the back of the logs that have been ingested into Splunk, design and implement the relevant alerting via appropriate Splunk SPL syntax that is required for our teams, auditors, merchants, etc. By ensuring our alerts trigger notable events on the Incident Review page, Splunk ES has helped us and our analysts have a single pane of view where they can easily investigate and triage possible security incidents. The customisability of the SPL syntax makes creating new use cases very simple and gives us more flexibility compared to competing for open source solutions such as Elasticsearch. Furthermore, our leverage of the hosted Splunk Cloud service enables us to avoid the burden of having to manage the Splunk architecture and infrastructure itself which doesn't bring any real value to our users whereas having that extra freed up time focusing on the actual content and use cases means we can easily and quickly deliver new alerting as required. Additionally, the fantastic Splunk community is a valuable resource to obtain solutions from other advanced Splunk users plus multiple Splunk apps and integrations with different products and vendors are great

Pros and Cons

Centralise alerting
Ingest logs from many different tools, vendors and system
Enable easy and quick creation of new alerting
Integrate identity components into each alert so you can reconcile different IP addresses, usernames, email conventions for your corporate staff
Easy and intuitive case management inbuilt
Lots of relevant dashboards and alerting out of the box
Tons of integrations and apps for different vendors

Performance can sometimes be a letdown depending on implementation
The whole log ingestion pipeline is quite complex to understand
There is sometimes a need to disable inbuilt alerting for non-relevant systems e.g. if you don't use a particular OS in your estate to improve performance
Infrastructure and architecture is complex to maintain if not using hosted Splunk Cloud
License can be expensive even for modest amounts of data ingested

Return on Investment

Enables a single pane of glass for our SOC
Reduces triage times
Enables quick deployment of new use cases
Speeds up log normalisation and ingestion of new data feeds
Lowers alert fatigue with customisable suppression rules

Scalability

Splunk Cloud does take the pain out of managing data indexes, data storage concerns, data retention, hot/warm/cold storage types as well as abstracting the infrastructure which needs to be upgraded, maintained, and patched regularly. If your company does not have the teams to take care of this, Splunk Cloud is ideal as a solution since it allows you to focus on implementing new use cases and content. However, there are some limitations which are imposed by Splunk Cloud such as lack of support for modular inputs, lack of command line (CLI) access, having to go through Splunk Support (which are usually pretty responsive but there are times when this procedure takes a few days from submitting a request through to it being implemented on Splunk Cloud) every time a new custom Splunk application needs to be installed, etc. I haven't read the latest information on this but there are also limitations as to federated search and hybrid search with regards to linking in with search heads that are hosted in our own cloud tenants and having these search off our primary indexers that are hosted in Splunk Cloud.

Alternatives Considered

Exabeam Fusion

Exabeam is Elasticsearch based which has major limitations compared to Splunk's SPL language. Furthermore, in my previous company, we were using Exabeam and there were a lot of false-positive detections caused by the machine learning algorithms, Bayesian inference, and other risk-based alerting Exabeam employed, which unfortunately were not too customizable in the way they worked. Splunk's rule-based approach is less prone to false positives if you invest the appropriate time to tweak the syntax and eliminate major false-positive sources. Furthermore, Exabeam being a product that was new to the market and relatively WIP was much less stable and more prone to random crashes caused by malfunctioning software components. These outages also led to secondary problems with data that could not be accepted by Exabeam having to be temporarily backed up and retained on the Syslog forwarders feeding Exabeam. Splunk so far has been very stable.

Key Insights

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security (ES) go as expected?

Yes

Would you buy Splunk Enterprise Security (ES) again?

Yes

Other Software Used

OneTrust, HackerOne, Kibana, Google Cloud Operations Suite (formerly Stackdriver), Looker

Likelihood to Recommend

Splunk ES is well suited for any company which can afford to pay the licensing costs and commit to a long-term relationship with Splunk. The ecosystem is unmatched compared to open source solutions such as Elasticsearch since 1) the Splunk SPL syntax is highly configurable and unmatched in terms of flexibility and what functions are available e.g. statistics, modeling, machine learning 2) the Splunk community has loads of helpful users and resources where many, many questions are answered promptly and with great detail sometimes 3) the level of support, number of integrations and apps available for Splunk from third-party vendors is unmatched and you'll be hard-pressed to find an instance where Splunk doesn't already support most of your existing systems The multitude of free and paid Elasticsearch based offerings/vendors can't yet compare with Splunk's maturity and, although they may be cheaper initially, don't offer the same richness of syntax, community, and integrations that Splunk does. Although Splunk architecture is complex and maintaining Splunk infrastructure can be time-consuming, their hosted Splunk Cloud option mitigates some of these concerns.

Products Replaced

Key Differentiators

Product Features
Prior Experience with the Product

I've worked with Splunk before at previous companies and was aware of its strong ecosystem with regards to the Splunk community, the powerful SPL syntax language and the wide variety of mature integrations with third party vendors and products.

Elasticsearch doesn't yet have the same maturity of their ecosystem or the feature stability offered by Splunk despite the prices of Elasticsearch based solutions most times being lower than the similar data ingestion Splunk price.

Evaluation Lessons Learned

We would make the process a bit more comprehensive with regards to evaluation of feature parity between the functionality that Splunk's SPL syntax language offers compared with Elasticsearch's language so that we can evidence why Splunk's slightly higher price is justified by the long term time savings obtained by being able to use the inbuilt features in SPL.

Also, we would evaluate the difference between Splunk Cloud and other vendor hosted solutions against the alternative of having a solution hosted in our own cloud tenant and have this be managed by ourselves rather than fully managed by the vendor.

Leveraging Splunk ES and the Splunk ecosystem to make quick progress in a nascent SOC environment

Overall Satisfaction with Splunk Enterprise Security (ES)