In part 1 of this post, we talked about how Cribl is empowering security functions by giving our customers freedom of choice and control over their data. This post focuses on their experiences and the benefits they are getting from our suite of products.

In a past life, I was in charge of security and operational logging at Transunion — around 2015, things started going crazy. The amount and complexity of data, the lack of staffing, and global deployment were causing me to pull out hair that had been turning gray for the same reasons. It seemed impossible to manage — we were looking for solutions to simultaneously manage our data, get it where it needed to go, and control our costs.

Cut to two years later — I have an initial meeting with the founders of Cribl, and they manage to knock a half million dollars off my analysis license during a demo. So naturally, I download the pre-1.0 installable shortly after and start managing data on my own in 15 minutes, without going to the command line or having to figure out my own regexes. With my code, I could see my raw data and what it looked like after I transformed it, without having to build an entire dev stack.

Starting from First Principles

This was my first introduction to some of the first principles that Cribl works from — ease of use, rapid adoption, and fast time to value. So many of the pain points I had with other tools were gone. I was finally in control of my data and able to choose what I wanted to do with it.

This was all with limited displacement costs — I could use all of my existing agents without deploying any new ones. I didn’t have to stop using Splunk, but I was able to get more value from it. From there, we were able to start carving out massive chunks of our license and start saving even more money. My boss couldn’t believe how fast the changes were delivering value.

Since I joined Cribl, I’ve become accustomed to hearing similar responses from customers. An executive said to me recently, “So you’re going to help me have better data, control my cost, lower my run rate, and scale my staffing all at the same time? You don’t see that every day.” He probably doesn’t see it daily, but these results are standard for our clients.

Mix and Match Capabilities to Build Up Your Security Stacks

We’re seeing more and more companies move to a best-of-breed strategy since they no longer have to be at the mercy of any specific vendor. Organizations can now use tools from one vendor for their SIEM, a different vendor for their UEBA, and even a third for their SOAR solution. This approach will become even more common because of how much simpler integrations are with Cribl.

In my previous company, my CISO wanted to bring Exabeam into the mix of our analysis tools. Using Cribl Stream, we got what would have normally been a six to nine-month integration process done in three weeks. I was happy because we were done fast, and he was happy because he got back the large chunk of change that he had budgeted for the months-long deployment. We could also put the saved engineering hours towards innovation instead of this and other business-as-usual tasks.

Migrate to a New SIEM With Minimal Risk

Another example of the power of Stream is the ability to perform data migration with minimal risk. One CISO we worked with was using a particular SIEM that many would prefer not to, but don’t want to get off of because the perceived risk of moving away from isn’t worth the cost.

Weakening their security posture was a valid concern, so we worked with this customer to put Stream in place and keep data going into the legacy SIEM while also forking data to the new one. As a result, he was able to migrate his detections and dashboards and make an A/B comparison to make sure his new SIEM was working as well as the old one. He even kept the old one running for 30 days after the cutover, taking all the risk out of the migration and speeding it up at the same time.

Our first principles guided us to build Stream using Javascript and build Search on an enhanced version of Cousteau, so they could be easily implemented. Search is also lambda-based and serverless. You can take sigma rules and convert them — allowing you to search and easily port over your threat rules and search algorithms. If you need to move to a more specific analytics package, you can do that as well.

All of these choices were made with the customer in mind, and by putting ease of use, rapid adoption, and fast time to value at the top of the priority list. You can give Cribl Stream, Edge, and Search a try with Cribl.Cloud and process up to 1TB/day for no charge.

Get more details on this and how Cribl is Operating at the nexus of Observability & Security data in Episode 22 of the Ink8r podcast!