Splunk: Enterprise Security Review

Described as being a leading provider of operational intelligence software, Splunk addresses the challenges faced when processing considerable amounts of machine data across physical and virtual environments.

Splunk Enterprise Security is a security information and event management (SIEM) solution that gives organizations the power to quickly detect, analyze, and remediate internal and external security threats and attacks.

Originally founded in 2003 with headquarters in San Francisco, California, Splunk is now a publicly traded company (Nasdaq: SPLK) with over 850 patents and 7,500 employees worldwide.

Splunk and the Cybersecurity Market

Splunk is a clear SIEM leader with an estimated 62.96% of the market share, leaving the company virtually untouched by competitors like Azure Sentinel with 7.2% and LogRhythm with 3.97%.

Features

Built on the Splunk operational intelligence platform, Enterprise Security delivers continuous, organization-wide, security monitoring and incident response.

• Fully customizable Security Posture Dashboard provides real-time, high-level insight into metrics like current threat activity and anomaly detection.
• Quickly identify notable events, define whether they are singular or repeating, and prioritize based on occurrence and host, so the riskiest offenders are seen first.
• Track and manage the investigation of notable events, centralize threat intelligence and security context, and track users and device data using the Incident Review Dashboard and Investigation Workbench.
• Automatically group anomalies (such as strange email attachments or rare process kick offs) into a common incident to identify sequenced events and better predict similar threats going forward.
• Access regular content updates every two weeks to protect against the latest threats.
• Reference the Use Case Library to review analytic stories by malware, taking advantage of lessons learned and remediation details that prevent teams from unnecessary duplication of tasks and efforts.
• Use the Asset Investigator dashboard to triage an asset’s interactions with your environment.
• Configure Security Domains dashboards to track activities like login attempts.
• View the Risk Analysis Dashboard to track assets by risk.
• Prevent breaches before they occur with the Access Anomalies Dashboard.
• Enterprise Security seamlessly integrates with Splunk’s User Behavior Analytics (UBA) product that profiles user and entity behaviors.

Benefits

• Use predefined dashboards to identify key security indicators (KSIs) and key performance indicators (KPIs) for your organization.
• Create monitoring controls for static and dynamic thresholds.
• Optimize incident response using centralized logs, alerts, and reports.
• Conduct rapid investigations into malicious activities with support for team collaboration and information sharing.
• Make informed decisions based on cumulative threat intelligence acquired by centralizing and leveraging all machine data.
• Sophisticated incident management allows related system events to be combined.

Use Cases

Expo 2020 Dubai

When Expo 2020 Dubai was planning a six-month mega-event, they needed comprehensive and flexible security monitoring. Addressing the needs of over 190 participants spanning a 4.38 kilometer distance would be a considerable challenge on its own without factoring in over 8,000 access points, 100 security devices, multiple clouds, and one terabyte of data ingested per day.

“Splunk proved to be a SIEM technology that is flexible, efficient, and effective enough to handle the evolving demands of Expo’s cybersecurity environment,” according to Eman Al Awadi, Expo’s VP of cybersecurity and resilience.

SaskTel

With a mandate for excellent customer service and a need for enterprise-wide security monitoring, SaskTel looked to Splunk. Known as the leading information and communications technology (ICT) provider in Saskatchewan, Canada, SaskTel needed a scalable solution that could improve on their tedious and error-prone call trace process.

Not only did SaskTel achieve ROI within 90 days, the company is now able to more quickly prototype new and innovative products that bring value to their customers. 

Differentiators

Although Splunk is a small company compared to Microsoft and their competing Azure Sentinel product, customers report a more personalized experience with better-rated support.

Splunk Enterprise Security also excels at communicating with third-party software applications and services, offering many integrations, making it a clear choice for complex IT environments.

In addition to their commitment to enterprise security, Splunk is focused on data responsibility, diversity, ethical and inclusive growth, environmental sustainability, ethical business conduct, human rights, and responsible sourcing. The current initiatives and successes of their environmental, social, and governance (ESG) programs and practices are outlined in their FY21 Annual Report and Proxy Statement. 

Ratings

User reviews of Splunk Enterprise Security are filled with comments applauding the search functionality, ease of use, and simple implementation. Though some users report challenges and an initial steep learning curve for reporting tasks, reviews of Splunk’s customer service are overwhelmingly positive when support is required:

• Gartner Peer Insights: 4.4 out of 5
• G2: 4.4 out of 5
• TrustRadius: 8.5 out of 10
• Capterra: 4.6 out of 5

Pricing

Splunk Enterprise Security can be deployed on-premises or in the cloud. Although, Splunk Enterprise Security in the Cloud requires the purchase of a Splunk Cloud license.

To address the differing needs of all organizations, Splunk offers three pricing structures:

• Workload pricing: Customers are charged based on the number of Splunk Virtual Compute Units (SVCs), as determined by the number or searches and analysis tasks being performed.
• Entity pricing: Under this pricing model, the cost of Enterprise Security is determined by the number of hosts or protected devices being monitored and managed.
• Ingest pricing: Volume-based pricing based on the data ingestion into Splunk products, measured in GB per day. As customer needs increase, this pricing model scales proportionately.

All pricing plans include standard support, which includes access to new versions and updates, documentation, a live product roadmap, online case submission with status, phone support, and membership in the Splunk Answers community of experts. Premium support is available at an additional cost, offering faster response times and direct access to Splunk’s advanced support team. 

Conclusion

Preventing all security threats and attacks isn’t always realistic when businesses are faced with an ever-changing threat landscape. With the continuous monitoring and cumulative security intelligence offered by Splunk Enterprise Security, organizations can make better decisions faster.