Splunk FTW... when it's the right fit
June 22, 2022
Splunk FTW... when it's the right fit
Score 9 out of 10
Overall Satisfaction with Splunk Enterprise Security (ES)
We implement ES for banks, government orgs, and enterprises globally. We have specialised in the banking domains and have customised many use cases for banking specific use cases in our projects.
- Extending capabilities to 3rd-party integrations.
- Customisation of use cases.
- Bringing in custom log sources and integrating these into security use cases.
- High performance, enterprise-grade, security analytics at high volumes.
- ES on the cloud (SaaS) has too many limitations with platform administration.
- Supported integrations are not always on par with enterprise support especially when dependent on 3rd-party proprietary APIs.
- In later versions, unforeseen glitches seem to show up that have no resolution except version upgrade. This used to not be the case in prior versions which were very stable.
- We have a 100% success rate on all our ES implementations due to the amazing documentation and Splunk enablement on the subject.
- Our Splunk ES business has grown 100% YoY for the last 3 years.
- In terms of long term management and maintenance, ES has been highly stable and predictable, reducing our overhead on costly services team for ad hoc maintenance work.
Splunk ES allows a high level of tuning and customisation of data models and rules which are used to lower false positive rates. This has significantly lowered the impact on SOC teams we manage for most of our customers. The product has also allowed us to build advanced use cases and customisations on data sources previously not integrated with prior tools, enhancing visibility and correlation across infrasec layers. In this regard, Splunk ES has helped us attain our security goals for improvised and evolving security posture for our customers.
Overall scalability of Splunk ES is par excellence. We have implemented solutions in on-prem, cloud, and hybrid mode and have had success in all. There is plenty of room for improvement in the Splunk SaaS offering for ES and this needs to be addressed before things become difficult for Splunk SaaS customers. Migration from Splunk on-prem to Splunk SaaS is documented and straightforward, however there is a gap in documentation and SOP for migration from self-hosted cloud deployments to Splunk SaaS for ES.
Securonix does not nearly meet the scale, extensibility, and maturity that Splunk ES offers. However, when looking at the MSP architecture options, Securonix is a much more flexible platform for multi-tenanting. So, Splunk ES for captive SOC platforms and Securonix for MSP/multi-tenant platform is the go-to approach. QRadar is an excellent option for low-budget, standard SIEM use case customers. However, it cannot match up to the extensibility and customisation that Splunk ES provides especially for advanced use cases and non-standard data sources.
Do you think Splunk Enterprise Security (ES) delivers good value for the price?
Are you happy with Splunk Enterprise Security (ES)'s feature set?
Did Splunk Enterprise Security (ES) live up to sales and marketing promises?
Did implementation of Splunk Enterprise Security (ES) go as expected?
Would you buy Splunk Enterprise Security (ES) again?
- ES is best suited when the customer has matured out of the older standard SIEM requirement. It is not the most effective tool for a 1st time SIEM requirement (e.g. in organisations where any generic security use cases can be implemented just for compliance check box)
- In extremely complex, multi-site clustering, management of SH clustering for ES has come to light recently. Customers with mature DC-DR multi site requirements and processes need to set a good SOP for recovery. That said, this is still the best product at scale.