Item: Splunk Enterprise Security (ES)
Rating: 9
Author: ranjit abraham

Use Cases and Deployment Scope

We are a system integrator for Splunk. We introduce Splunk enterprise security to our customers as a complete SIEM tool. A kind of tool that can address the modern SOC requirements. We try to address the overall security posture of the customer's environment as the business requirement. We also encourage our customers to bring in all kinds of data into Splunk ranging from security data to business data and actively try to get them signed up for training so that they know how to use the product.

Pros and Cons

Splunk ES comes out with a few correlation searches which cover a lot of data sets. The benefit of using ES to other security tools is the customers can enable a few correlation searches to get maximum coverage.
Splunk ES comes with its own built-in investigation tool. This helps the customers drive their SOC workflow end to end. i.e You can ingest your data, run correlations, run investigations, and also integrate it with third-party tools like SNOW from a single application.
Splunk ES introduced a concept called risk-based scores which is a very interesting concept that allows the SOC team to investigate the highest-priority alerts. This helps in keeping alert fatigue to a minimum.

Splunk Enterprise Security relies heavily on data model Acceleration for running their correlation searches. It is a very good concept but for new customers, it is quite confusing. It would be nice if there are step by step guidelines on how to enable and fine-tune these data models inside the app. For instance, recommend which all indexes have to be integrated into each data model. Identify which all are data sets are tagged correctly etc. For example, if the customer wants to have authentication data, Step 1: Collect data from Authentication data sources => check. Step 2: are the tags working correctly => check. Step 3=> give recommendations of the ES correlation searches=> check . Step 4: Enable all the correlation searches and the data models => check. So if there is a workflow like this present new customers would find a lot of tasks much more easy to achieve instead of relying on professional services.
It would be great if ES had a much more polished version of the miter coverage dashboard out of the box. So we don't need to rely on the Security essentials app for finding where we stand on the miter framework.

Return on Investment

Splunk Enterprise security is a unique product that allows you as the organization to run simply out-of-the-box correlation searches on a large number of data sets and help you with detecting incidents with ease. The setup is not very complicated and with assistance from the sales team and professional services, you would be able to set up your own SOC team from scratch.
Splunk Security team is very well versed in the security field and they can provide you with training opportunities and suggestions on how to run your SOC environment and keep you updated with the latest security trends.
Splunk Security team also conducts their own investigation into major security breaches and vulnerabilities that come out worldwide and they release correlation searches and suggestions on a regular basis which can be implemented in your environment free of cost.

Security Analytics

Splunk ES with its well-thought Risk-based dashboards has removed the pressure off the SOC teams who were regularly getting alert fatigue going after every other notable event that was being generated. The implementation of the Risk-based alerting gives the team a good feel of their environment and will help them go after the biggest threats to their environment.

Scalability

Splunk ES on-premise can be scaled up to meet very large customer requirements. For instance, if the customer has 200+ use cases it can be enabled easily on-premise using SH Clustering. Currently, ES on the cloud does not have an SH cluster option and it has a limitation of less than 200 for Victoria and less than 60 for Classic cloud stacks. Splunk cloud ES may not be the best answer for all the customers. Before pushing Cloud ES to the customer a very detailed and in-depth study is required whether it's viable pushing Splunk ES cloud for the customer.

Alternatives Considered

IBM Security QRadar

I personally felt that It is easier to onboard structured data to IBM radar compared to Splunk. But when onboarding unstructured data or unknown data Splunk is king.

Key Insights

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

I wasn't involved with the selection/purchase process

Did implementation of Splunk Enterprise Security (ES) go as expected?

Yes

Would you buy Splunk Enterprise Security (ES) again?

Yes

Other Software Used

Snow Inventory, Microsoft Azure Active Directory, Cisco ASA 5500-X with FirePOWER Services

Likelihood to Recommend

It is well suited if you have very large data sets that your organization is working with. If you have a SOC team in place. If you have staff that is willing to attend training and are open to gaining knowledge about the practices. It is not well suited if Your organization is very small and you have only a few data sources as this is an expensive product and you cannot push the product without a lot of data sources.

A honest Splunk ES review from a system integrator.

Overall Satisfaction with Splunk Enterprise Security (ES)