Item: Splunk Enterprise Security
Rating: 8
Author: Jacob Gonzales

Overall Satisfaction with Splunk Enterprise Security (ES)

Use Cases and Deployment Scope

We utilize it to generate notable events and alerts on enterprise-wide activity. It also enhances our threat intelligence posture to bolster security sharing with our partners. Splunk Enterprise Security helps our organization solve the problem of creating alerts based on a variety of sources through data normalization. I enjoy the Common Information Model and how it helps normalize data across sources. Our analysts don't need to know every single source but can search off one field to collect a variety of events.

Pros and Cons

Pros

Normalize data
Search efficiency
Reporting and dashboards
Data visualization
Alerting and reporting

Cons

Improved user interface
Resource requirement
Admin overhead
Consolidated dashboarding

Return on Investment

Improved response time
Reduced hours for IOC analysis
Streamlined analyst workflow
Improved threat intelligence

Security Analytics

Splunk Enterprise Security helped improve our security goals for the organization. Data normalization, Threat Intelligence aggregation, Advanced Searching, and Reporting, and Asset and Identify management have all assisted in accomplishing our goal. The Splunk Enterprise Security app allows for a variety of customization to fit our needs. We can shape the app to the most important aspects of the security monitoring that is conducted in the organization.

Scalability

Splunk Enterprise Security supports both a clustered and non-clustered environment. This has been an improvement as the first versions of Splunk Enterprise Security required a single standalone search head that was only running Splunk Enterprise Security specific apps and not a part of a cluster. Overall, we have been able to increase our ingestion rate two-fold, and Splunk Enterprise Security has been easily able to handle the increase.

Alternatives Considered

Splunk Enterprise, IBM Security QRadar and Trustwave SIEM

Splunk Enterprise Security allows for data normalization that does not compare to other SIEMs such as QRadar or Trustwave. QRadar requires custom dsm parsers before the data can be onboarded. I appreciate that Splunk Enterprise Security can ingest any source of data and normalize it based on a simple app that is available from Splunkbase. It is a much more streamlined process.

Key Insights

Do you think Splunk Enterprise Security delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security's feature set?

Yes

Did Splunk Enterprise Security live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security go as expected?

Yes

Would you buy Splunk Enterprise Security again?

Yes

Other Software Used

Corelight, Suricata IDS, Splunk SOAR

Likelihood to Recommend

Splunk Enterprise Security helps normalize the data across the environment. It allows our analysts to search with simple terms across sources of data. The data visualization aspect is also a vast sea of dashboards and reporting. However, I find the number of dashboards to be inefficient for analysts. They have to know which dashboard will give them the proper data. It would be much easier to have a dashboard that can give them a single pane of glass.

Splunk Enterprise Security Feature Ratings

Comments

Please log in to join the conversation

Splunk Enterprise Security Normalizes Security!