When Stream Meets Lake: Cribl’s Integration With Amazon Security Lake Helps Customers Address Data Interoperability

May 30, 2023
Written by
Jackie McGuire's Image

Jackie McGuire is a Senior Market Strategy Manager at Cribl, focused on the security mark... Read Moreet. Prior to joining Cribl, Jackie was a Research Analyst with S&P Global, writing, speaking, and providing thought leadership on information security and Web3. Jackie has also worked as a data scientist in cybersecurity, developing behavior analysis and anomaly detection models, been co-founder, CEO, and CFO for several startups, and before her work in technology, was a licensed securities broker and SEC Registered Investment Advisor. Read Less

Categories: Announcements

We’re excited to announce that Cribl integrates with Amazon Security Lake from Amazon Web Services (AWS). Now generally available, Amazon Security Lake allows customers to build secure data storage from integrated cloud and on-premises data sources, as well as their private applications, using the Open Cybersecurity Schema Framework (OCSF). OCSF is a new industry standard initiative for the normalization of security telemetry announced in August 2022. AWS Partners and customers can use Cribl to ingest data from any third-party source, seamlessly convert it into OCSF, and route it to Amazon Security Lake.

What’s the Big Deal?

To protect their organizations, security professionals need to move at the speed of technology. Monitoring, detecting, and responding to threats in a rapidly evolving landscape requires teams to quickly analyze telemetry and log data across multiple tools, technologies, and vendors. As if this challenge weren’t enough, teams must balance the need to collect enough data to effectively secure their organizations with the cost of storing and searching that data.

According to Cribl’s State of Security Data Management 2022 Report, nearly two thirds of survey respondents are managing over 30 data sources. And each data source has its own formats, fields, and syntax. Incompatible or unsupported formats from one tool to the next leave many customers struggling to leverage insights from their data. Forget that noise.

How Cribl and AWS are supporting OCSF

Amazon Security Lake helps organizations aggregate, manage, and derive value from log and event data in the cloud and on-premises, giving security teams greater visibility across their organizations and reducing the complexity and costs for customers to access and manage their security data. Customers can use the security and analytics solutions of their choice to simply query data in place or ingest the OCSF-compliant data for threat detection, investigation, and incident response.

While Amazon Security Lake natively supports the OCSF standard for Amazon’s own products, Cribl is the only launch partner actively helping customers get data from any 3rd party source and transform it to OCSF complete with the partitioning and format (parquet) required. Customers then have the choice and control to route it to Amazon Security Lake, and any additional OCSF-enabled tools.

“The integration between Cribl and Amazon Security Lake is essential in accelerating data onboarding from third-party sources and providing customers with a comprehensive overview of their organization. With Cribl, customers have the ability to format and shape their data, allowing them to utilize Amazon Security Lake or send it to any analytics tool. As customers evaluate Amazon Security Lake, they rely on Cribl to search, route, optimize, and transform data efficiently.”

– Rod Wallace, General Manager for Amazon Security Lake

Customer Benefits

Centralizing data from on-premise and cloud sources in a storage solution purpose-built for quickly normalizing, managing, and searching data is critical for protecting the modern enterprise, delivering improved protection of workloads, applications, and data, and driving visibility across the organization.

With Cribl, AWS customers gain the freedom to choose from any of the OCSF-enabled tools and services that meet their needs without having to reformat their data on their own through the following capabilities:

  • Route Data from 3rd party sources to Amazon Security Lake – Accelerate data onboarding from any 3rd party source to gain greater visibility across your security and operating environments
  • Transform data into OCSF in parquet schema – Enrich raw data from any source with a repeatable transformation process that requires minimal effort for modifications.
  • Search data in Amazon Security Lake – Increase the scope of analysis and mine data at rest in OCSF for quicker searches to capture deeper insights.

Cribl Amazon Security Lake

Cribl and Amazon Security Lake Architecture

“With the explosion of data and the rapidly changing security climate, security teams struggle to continuously monitor, detect, respond to, and mitigate threats,” said Abby Strong, SVP of Customer Experience and Marketing at Cribl. “Together with Amazon Security Lake, we’re excited to give AWS customers the freedom to ingest data from anywhere and then route it to Amazon Security Lake or any of the OCSF-enabled tools that meet their needs. Cribl makes it easy to get data in and search it to gain insights directly from an Amazon Security Lake.”

Here are some examples of how this integration helps you take back control over your security data:

  1. Analyze data from endpoint, network, application, and cloud sources in one place, in one purpose-built format, so you can quickly find, correlate, and respond to security events.
  2. Empower the entire organization with granular access controls and custom data streams, making it easier to provide the right data to the right users, while preventing unauthorized access and remaining compliant with regulations

How to Get Started

Learn how Cribl can help you with your AWS use case with a custom demo.

Leverage our AWS-validated open source Cribl Packs and our Amazon Security Lake destination tile to get started quickly. Use Cribl’s no-code intuitive UI to transform any event into OCSF-compliant formats and send them to the best destination, or multiple destinations to deliver your desired security, compliance, and analytics outcomes.

Here are the Cribl Packs that are being mapped to OCSF today:

  • OCSF Post-Processing Pack – If you have your own data sets you want to map, leverage this on GitHub as a reference to build from
    • ZScaler Web Logs
    • ZScaler Firewall Logs
    • PAN Firewall Traffic
    • PAN Firewall Threat
  • Cribl Packs Dispensary
    • CrowdStrike FDR Pack
    • SentinelOne Cloud Funnel (coming soon)
    • Splunk Forwarder Windows Classic Events to OCSF
    • Cisco ASA
    • Cisco FTD
    • Google Cloud Audit Logs to OCSF

Learn More

Feature Image

Navigating the Mainframe Logging Maze: Insights for the Modern IT Professional

Read More
Feature Image

The Stream Life Episode 100: Storm Drains and Data Lakes

Read More
Feature Image

Why Netbuilder’s Service Model Is a Win-Win for the Company and Its Clients

Read More

Try Your Own Cribl Sandbox

Experience a full version of Cribl Stream and Cribl Edge in the cloud with pre-made sources and destinations.