x

Case Study

Cribl Stream Improves the Efficacy of Fortune 20 Health Insurance Provider Security Team by Providing More Structured, Relevant Data

star-round-framed
Highlights

“EVERY YEAR ONE OF OUR TOP OBJECTIVES IS TO REDUCE OUR MTTR, CRIBL HAS BEEN INSTRUMENTAL IN HELPING US ACHIEVE TANGIBLE RESULTS THIS YEAR.”

“ONCE WE ROUTED EVERYTHING TO CRIBL, WE WERE ABLE TO RETIRE OUR HEAVY FORWARDER.”

“CRIBL’S CAPABILITY TO TRANSFORM LOGS INTO METRICS MADE IT EASY TO SHOW THOSE METRICS TO THE RIGHT PEOPLE.”

Share:

This Fortune 20 health insurance provider focuses on an integrated, holistic approach toward improving the health of humanity. They are redefining health, reimagining the system, and strengthening communities along the way. Industry-leading capabilities empower their unique digital platform, and their forward-thinking approach extends to their IT and Security teams. They recently began using Cribl Stream to manage the enormous amounts of data flowing through their organization and are very excited about its capabilities.

“Every year, one of our key objectives is to reduce MTTR,” says Senior Director, Service Intelligence, who is responsible for health insurance providers’ APM strategy, managing their Splunk license, and the support of event management and AIOps for more than 700 apps. With all of that on their plate, they knew that adding Cribl Stream to the toolkit would be beneficial. The early results Stream has produced–namely helping them to better manage Splunk licensing and performance–have already help to reduce MTTR, but they have only scratched the surface of potential benefits.

An Information Diet for the Elephant in the Room
The company employs 100,000 people and serves over 100 million customers, so it’s safe to say they’re working with massive amounts of data. Because they’re required by law to bring all that data into a central log repository, their Splunk spend is through the roof. By putting Cribl Stream in place, they can significantly reduce the amount of data moving through Splunk — they started with AWS Cloud Trail data and have already seen a 30-40% reduction in data volume from that source.
More Structured Data is Easy on the Eyes
The Service Intelligence team is also responsible for getting the organization’s data in through Splunk and over to its security team for threat detection. Cribl Stream is making that process easier for everyone. The reduction capabilities alone have made it so that there is less noise to sort through, but the team also plans to use Stream to transform logs into metrics.

“Reading through logs isn’t the most fun way to spend the day — especially if you're dealing with network logs and firewall logs — so that's one territory we’re exploring. We’re going to put our firewall logs through Cribl, then transform them to metrics that we can put into the Elastic Search platform for our security team.”

Using Stream to Reduce MTTR
The health insurance company is consistently trying to reduce its MTTR, and this strategy of cleaning up data for the security team will allow them the opportunity to improve it. Normalized, structured data makes monitoring much more efficient and allows security to quickly see if something is going on. Cribl Stream allows them to normalize, and add structure and context in flight so that when it hits Splunk, the data is ready to generate meaningful alerts for detection or evidence for remediation. They also plan on using Stream to improve AIOps — if their event management is intelligent, they can do predictive analysis better and see problems before they happen. Getting the right people engaged the first time around is a priority.

“We created a dashboard to look at how much we’re saving in terms of dollars for each data source to get a better view on how we’re controlling our overall Splunk expense. This gives us more headroom for additional data sources, and gives us a view of how we’re enhancing Splunk performance which contributes to our enhanced MTTR numbers,”

Wading Through the AWS Message Backlog to Avoid Losing Data
Another immediately useful application of Cribl Stream came in the form of reducing the burden on the company’s heavy forwarders. When they first implemented Stream, they had close to 40 million messages in a queue to be sent to them from AWS. Those messages were on the cusp of expiring, so they were running the risk of losing all of that data.

“When we retired the heavy forwarders and routed everything to Cribl, our AWS message queue went down to zero within twenty-four hours — everything started flowing through, and that potential risk of losing data was gone by the next day.”

The Future is Bright

The team is excited to finally take advantage of all of the capabilities Stream has to offer, and masking PII data is next on the list of use cases. Stream’s mask function will help them manage their APM users that have sensitive information in their URLs, and the handful of applications that use PII data in their logs.

They’re also going to use Cribl to route data to their SIEM — forking off the data from Splunk that needs to go to Sumo Logic or Exabeam. The Senior Directior also talked about their plan to make use of Stream’s ability to keep full-fidelity copies of data in cheap storage. More voluminous logs will route through Stream to into storage where teams can Replay it into analysis tools should the need for longer-term investigations arise.

“I involved our security team from very early on when we first started thinking about Cribl — they understand the simplicity and benefits of being able to send data directly to our SIEM, UEBA tools, or to low-cost storage, and mask PII data in flight, among all the other things Stream can do.”

There are many opportunities for the company in its partnership with Cribl Stream. A more cost-effective and performant Splunk footprint, significant improvements in MTTR, and massive cost and time savings are right around the corner.

Get Cribl, and take control of your data.

TL;DR

About Cribl

Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit www.cribl.io or our LinkedIn, Twitter, or Slack community.

Pixel Mask

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?