Item: Splunk Enterprise Security (ES)
Rating: 9
Author: Verified User

Use Cases and Deployment Scope

We utilize Splunk Enterprise Security for log analysis, correlation, and alerting. Security alerting and monitoring is the primary focus of our Splunk deployment and all logs are evaluated based on analytic value to security directives prior to being ingested. Splunk allows us to aggregate disparate logs and solution data and correlates events to generate security alerts.

Pros and Cons

Log ingestion and indexing
Event correlation
Event timeline
Data representation and presentation

Cloud log ingestion on-prem vs Splunk Cloud
Improvements to approachability of SPL
Built in dashboarding and common use
Formal adoption of SIGMA SIEM rule repositories

Return on Investment

Increased visibility across multiple log sources
Reduction in MTTR beyond initial compromise to additional targets or resources
Customization of alerting and monitoring to reflect our business' priorities and practices

Scalability

The scalability of Splunk Enterprise Security is only limited by an organization's monetary flow. SIEM is always an expensive endeavor and Splunk Enterprise Security runs into the fund wall but technological scalability is fairly straightforward and simple. One note, those who require an on-prem solution are often locked out of more advanced features as the company pushes its cloud-first initiative. This is acceptable as long as you know in advance you will either have to sacrifice features, build them yourself, or move to the cloud.

Alternatives Considered

Sumo Logic, IBM Security QRadar, LogRhythm NextGen SIEM Platform and AlienVault USM

Splunk does not hide its correlation and analytics logic from users as much as other solutions in the same space. While some features are harder to access the underlying information is all accessible and tunable. This gives Splunk an edge over other solutions that lock the user into a predefined box. However, many other solutions in the space have more advanced out-of-the-box functionality when turned on. The advantage lies with Splunk's granular control over logs and events to generate high-fidelity notables and alerts.

Key Insights

Do you think Splunk Enterprise Security (ES) delivers good value for the price?

Yes

Are you happy with Splunk Enterprise Security (ES)'s feature set?

Yes

Did Splunk Enterprise Security (ES) live up to sales and marketing promises?

Yes

Did implementation of Splunk Enterprise Security (ES) go as expected?

Would you buy Splunk Enterprise Security (ES) again?

Yes

Other Software Used

Recorded Future, Proofpoint Targeted Attack Protection (TAP), Digital Shadows

Likelihood to Recommend

Splunk Enterprise Security is well suited to bulk data ingestion and can be manipulated to intake any data sets. This allows the admins and users to collaborate and design notables and alerts based on their individual use cases without a best-fit approach. While this is extremely liberating and allows for remarkable customization it also makes for a steep learning curve that must be tackled before new implementations can be of value. This often leaves organizations in the hands of a channel partner or with an unhealthy deployment.

Splunk Enterprise Security: Configured to your organization

Overall Satisfaction with Splunk Enterprise Security (ES)