Considerations from an ES implementation in SOCs consultant
Updated July 21, 2022
Considerations from an ES implementation in SOCs consultant
Score 10 out of 10
Vetted Review
Overall Satisfaction with Splunk Enterprise Security (ES)
I'm a consultant in SIEM implementation for our customers. I implemented many ES installations in the last years for SIEMs and SOCs.
Pros
- Search and analyze cyber Security Threats
- cyber risk quantification of customer assents and identities
- manage notable events and security incidents
- investigate alerts from Splunk
- create always new security Use Cases
- reporting for board
- support company compliance functions in their activities
Cons
- we hard-worked to customize ES for multitenancy because this feature isn't present in ES
- Investigations aren't so easy to customize
- integration of ES with external Asset Management system isn't so easy to implement
- I should be very useful an integration with an external Vulnerability Management system (e.g. Tenable) to highlight dangerous areas and asset risk quantification
- We're a Splunk Partner and we implemented many ES infrastructures for our customers
- We're too small and less structured 8especially in infrastructures) for use in our company
- Our customers are all satisfied by ES
I performed a migration from RSA SA and I found that ES is very easier to implement new Correlation Searches.
Do you think Splunk Enterprise Security (ES) delivers good value for the price?
Yes
Are you happy with Splunk Enterprise Security (ES)'s feature set?
Yes
Did Splunk Enterprise Security (ES) live up to sales and marketing promises?
Yes
Did implementation of Splunk Enterprise Security (ES) go as expected?
Yes
Would you buy Splunk Enterprise Security (ES) again?
Yes
Splunk Enterprise Security (ES) Feature Ratings
Using Splunk Enterprise Security (ES)
I'm a consultant in ES implementation
I'm A Splunk Architect and I followed a training dedicated to ES, I'll try to have also a certification in ES
- all SIEM features Implementation
- Threat intelligence
- Cyber Risk Quantification
- Support for Asset Inventory
- Support for Asset Inventory
- Cyber Risk Quantification
- Integration with our DSS platform for Cyber Risk Quantification (platform developed using Splunk Enterprise)
Evaluating Splunk Enterprise Security (ES) and Competitors
Yes - I worked to migrate a SOC infrastructure from RSA Security Analytics to Splunk ES for one of our customers
- Price
- Product Features
- Product Usability
The only limit of ES is prize: if a customer must use ES only for SIEM, it's an expensive solution, so I hint to reduce the cost of ES, especially when the customer dimension isn't so great: some customers changed their idea to use Splunk before too expensive and preferred to use Elastic Search.
ES feature and usability are winning points over all the other solutions, I think that only with a few reduction of ES price, there will not be any opportunity for other products.
ES feature and usability are winning points over all the other solutions, I think that only with a few reduction of ES price, there will not be any opportunity for other products.
I always hint to our customers Splunk ES as the best solution for SIEMs and SOCs, even if expensive, is the best solution for features and usability, especially when the use of the platform is extended alto to non security Use Cases (e.g. IT Operations, business insight, etc...).
Splunk Enterprise Security (ES) Implementation
- Third-party professional services
We are a third party professional services company and we perform consultancies in ES implemntation.
In addition, we used Splunk Profesisonal Services consultancy in one of our projects for the dimensions of the customers, because it needed a multi tenant installation (and ES isn't so) and for a final certification of the ES infrastructure developed.
In addition, we used Splunk Profesisonal Services consultancy in one of our projects for the dimensions of the customers, because it needed a multi tenant installation (and ES isn't so) and for a final certification of the ES infrastructure developed.
Yes - the project was the migration of the SOC infrastructure from RSA Security Analytics to Splunk ES, so it was divided into:
- architectural Design and infrastructure dimensioning,
- ES configuration and tuning (installation was done by the custem by itself),
- log ingestion configuration (check of the ingestion already done by the customer),
- correlation searches migration (all custom correlation searches),
- threat intelligence configuration (all custom sources),
- final check and certification.
Change management was a small part of the implementation and was well-handled - The only change management was related to the process of developing new correlation searches and dashboards for visibility for the SOC's customers.
- ES isn't multi tenant but we had to implement multi tenancy to manage the customers of that SOC maintaining separation between them
Splunk Enterprise Security (ES) Training
Configuring Splunk Enterprise Security (ES)
At first put a very great attention to data sources because having clean data it's possible to have clean results, otherwise it isn't.
Then ES isn't a platform for improvisations: it need a knowledge of Splunk and a specific knowledge on ES itself.
I found some customer that tried to do all by itself, the result was only muck lost time.
Then ES isn't a platform for improvisations: it need a knowledge of Splunk and a specific knowledge on ES itself.
I found some customer that tried to do all by itself, the result was only muck lost time.
No - we have not done any customization to the interface
Some - we have added small pieces of custom code - We had to customeize the installation for a customer implementing multi tenancy. The customizations were mainly related to the data structure: each final customer had its own index, all datamodels were customized to use index and other fields for the final customers, in each datamodel index was a main grouping field, all correlation search was customized using index as grouping field, for threst intelligence, it was needed to modify one ot the Splunk Python script for index grouping.
Our project was a migration from RSA Security Analytics to Splunk ES, so we had to create one Correlation Search for each Use Case to have the same Use Cases of the precedent installation.
In addition, out customer had two Threat Intelligence sources (MISP and Crowdstrike) and we had to customize the information update process taking data from that sources.
In addition, out customer had two Threat Intelligence sources (MISP and Crowdstrike) and we had to customize the information update process taking data from that sources.
Splunk Enterprise Security (ES) Support
| Pros | Cons |
|---|---|
Quick Resolution Good followup Knowledgeable team Kept well informed No escalation required Immediate help available Support understands my problem Support cares about my success Quick Initial Response | Problems left unsolved |
I worked with Splunk Professional Services only one time and I was very satisfied of them.
They are very expensive (probably too much and out of market) but I hada all the answers that me and the customer needed.
They are very expensive (probably too much and out of market) but I hada all the answers that me and the customer needed.
Yes - They always answerd in a quick time with the solution, or, at least a workaround to pass the situation.
In my last project, we opened a case for a problem that should be solved in a past release of Splunk, but it's still present.
The support gave us a workaround to immediately solve the problem waiting if in the next release it will be solved.
The support gave us a workaround to immediately solve the problem waiting if in the next release it will be solved.
Using Splunk Enterprise Security (ES)
| Pros | Cons |
|---|---|
Like to use Relatively simple Easy to use Technical support not required Well integrated Consistent Feel confident using | Lots to learn |
- Threat Intelligence
- Correlation Searches
- I know that ES isn't Multi Tenant, but it's very difficoult to configure and use it on many customers
- Investigations could be more easy to use
Yes, but I don't use it
Splunk Enterprise Security (ES) Reliability
Integrating Splunk Enterprise Security (ES)
- our DSS platform
Our DSS platform is developed in Splunk Enterprise environment so integration was very easy!
- Vulnerability Management
- Asset Management
- Anti Fraud Management System
Most of them have a Splunk App or Add-On, so I think that it will be very easy to do this.
- File import/export
- Single Signon
- API (e.g. SOAP or REST)
We usualy use file import/export for integration and, when available, APIs to extract data from external systems (e.g. Cyber Quant or Tenable Security Center).
The Splunk Enterprise smart integration featutes is the reason why we choosed this environment to develop out DSS solution that integrates information from many external systema.
The Splunk Enterprise smart integration featutes is the reason why we choosed this environment to develop out DSS solution that integrates information from many external systema.
As I said many timkes in this review, I'd like to have some feature for integration of external systems as Asset Management, Vulnerability Management and so on, but also in multi tenancy mode.
In other words, I'd like to have the possibility to integrate many different asset managent sources from different final customers.
In other words, I'd like to have the possibility to integrate many different asset managent sources from different final customers.
Relationship with Splunk
In our experience there are many negotiations with Splunk:
usually they are ready and available to find the best approach for the customer.
I experienced only one negative situation: when a big price redution is needed to take the customer, Splunk sales need approvation from their management that sometimes isn't so flexible to understand the situation.
usually they are ready and available to find the best approach for the customer.
I experienced only one negative situation: when a big price redution is needed to take the customer, Splunk sales need approvation from their management that sometimes isn't so flexible to understand the situation.
As I already said, I hint to have more discount flexibility, expecially with new customers, because there are competitors less expensive and very aggressive that are dangerous. In addition the possibility to don't pay the license for the development period could be a very interesting feature for the final customers.
Upgrading Splunk Enterprise Security (ES)
Yes - I didn't experienced big problems in the upgrading process, even if the ES packages start to be large and heavy.
If it's possible to divide in separated packages the full installation package, probably the upgrade process could be easier.
I say this because I experienced an installation and an upgrade of ES in a customer with a slow connection and usually the process was aborted for timeout, so I needed to upload the package using SSH and instaling it via CLI, to avoid installation timeouts.
If it's possible to divide in separated packages the full installation package, probably the upgrade process could be easier.
I say this because I experienced an installation and an upgrade of ES in a customer with a slow connection and usually the process was aborted for timeout, so I needed to upload the package using SSH and instaling it via CLI, to avoid installation timeouts.
- bug solving
- new Correlation searches available
- multi tenancy (but I know that there isn't!)
Comments
Please log in to join the conversation