Splunk Enterprise Security
Perpetual license of Splunk ES, pricing is $5k for 1 GB/day; $15k for 10 GB/day; $40k for 50 GB/day; and $50k for 100GB/day.
Strengths: A very versatile tool that is a great addition to the Splunk ecosystem; adding security to operations.
Weaknesses: Splunk provides you a lot of information to process; sometimes you can feel overwhelmed.
Verdict: While Splunk isn’t typically thought of as a security tool, this is worth taking a look at if you already implement Splunk inside your environment – and even if you don’t.
I trace my start in actual information security back to when I was working in network operations for a large MSSP. I remember looking through Splunk daily to help identify traffic patterns and traffic utilization for our clients. The Director of IT Operations was constantly looking for new ways to utilize Splunk. Fast forward a few years, and Splunk has really stuck to the operational side of things. I was really looking forward to getting my hands on Splunk Enterprise Security app to see if this operations tool can live up to my expectations as a security tool.
While we were excited to see this new Splunk Enterprise Security app in action, Splunk granted SC Labs access to their web sandbox, so we didn't get a chance to work through the installation process, setup or load testing the solution.
Splunk offers software installations for on-premise solutions as well as the popular cloud solutions. The Splunk system is extremely flexible and scalable to fit into any size organization. Splunk ES can be deployed as a software, as a cloud service, in a public or private cloud, or in a hybrid software-cloud deployment.
Signing back into the Splunk Enterprise Security app brought back some feelings of nostalgia, but that's where it ended. Splunk has continued to update the interface and make the dashboard modern. There was almost no learning curve navigating through the dashboard. The other members of the review team without the experience working with Splunk had similar experiences.
Navigating through the app, you can quickly drill down to get valuable insight in various areas from your security posture, incidents to review, current investigations and many more. This Splunk app delivers insight into machine data generated from security technologies such as network, endpoint, access, malware, vulnerability, and identity information. While you can still get the feel that this is an operations tool, the security insight provided by Splunk Enterprise Security will feel right at home in any SOC.
With the amount of data that is ingested into Splunk, one can get overwhelmed quickly with all the options and charts you can build. If you find yourself getting this way, Splunk offers support from a myriad of options. Splunk offers free support including slack chat, user groups, and detailed documentation.
Splunk Enterprise Security app is an addon to the Splunk Enterprise or Splunk Cloud solutions, which have a few different licensing methods to help it fit into the budget of any organization. Perpetual licensing for the Enterprise Security app starts at $5,000 for 1 GB/day and goes up to $50,000 for 100 GB/day.
Whether deployed for continuous real-time monitoring, rapid incident response, a security operations center (SOC), or for executives who need a view of business risk, Splunk ES delivers the flexibility to customize correlation searches, alerts, reports and dashboards to fit specific needs.
- Michael Diehl with Dan Cure;
tested by Matt Hreben and Michael Diehl