Case Study

Fortune 500 Investment Services Firm Puts Cribl at the Center of Shift to Modern, Cloud-Native Architecture

star-round-framed
Highlights

“WE HAVE CAPABILITIES NOW THAT WE WOULD HAVE NEVER GOTTEN IF WE HADN'T MOVED TO CRIBL. IT’S MADE MORE THINGS POSSIBLE DUE TO ITS FLEXIBILITY AND EXTENSIBILITY IN TERMS OF WORKING WITH APIS.”

SECURITY ENGINEERING LEADER

“IT’S EXCITING SEEING WHAT'S POSSIBLE WITH CRIBL STREAM AND SEEING HOW IT STIMULATES THE TEAM TO THINK OF NEW WAYS WE COULD USE IT TO STRENGTHEN OUR SECURITY INFRASTRUCTURE.”

SECURITY ENGINEERING LEADER

“WE’RE A SAAS-FIRST COMPANY, SO USING CRIBL’S PRODUCTS DOESN’T FEEL NEW OR FOREIGN. IT’S EASY TO SEE HOW THE PERMISSIONS BOUNDARIES WORK, SO IT'S PRETTY MUCH UNDERSTOOD THAT WE CAN TRUST IN THE SECURITY OF THE PLATFORM.”

CLOUD SOLUTIONS SENIOR ENGINEER

Share:

This Fortune 500 financial advice and investment services firm serves investment clients in the U.S. and Canada. They have more than 15,000 locations, 50,000 employees, and nearly eight million clients worldwide.

After taking a closer look at their security architecture a few years ago, the team at a Fortune 500 financial advice and investment services firm decided it was time to upgrade their tooling. Poor data quality and the subsequent bugs that would routinely pop up prompted the desire to shift to a more modern, cloud-native infrastructure.

They made it a point to only work with tools that would integrate well together and scale with the organization, allowing for growth without being tied to specific vendors. By partnering with Security Risk Advisors (SRA), a trusted MSSP, they choose Microsoft Sentinel and Palo Alto XSOAR as the foundation for their SOC operations, and Cribl Stream to route data to those and other current or future destinations.

“Once we discovered that Cribl could multiplex data out to different destinations, it started to fit really well into our plan–including our desire to build a data lake. Having it at the core of our toolkit was very attractive — with Stream, we had options.”

With help from SRA, the team finished replacing their SIEM and built out their data lake with Azure Blob Storage. They were able to perform even more complex analytics, incorporating statistical analysis and elements of machine learning.
More Sophisticated Threat Modeling and Detection
From a detection capability and strategy point of view, the team has finally implemented some of what they’ve been envisioning for a while. Standard out-of-the-box detections helped the team to get baseline risk coverage, but to get the coverage the security team needed and wanted, they needed specific data and the ability to build custom detections on that data in line with the priorities for the business.

“With Cribl Stream in place, our detection capabilities are much more robust. Now we can identify more than just the very obvious things that our web application firewall or endpoint agents tell us.”

The senior technical architect can now sit with different teams on the technology and business sides of the organization and put all the pieces together. He can understand normal and expected behaviors–as well as what’s anomalous– to do more sophisticated threat research and modeling.
Better Reporting and Insights Into Business Activities
Having a data lake benefits not just the security team, but the rest of the business. Easy access to clean, historical data allows for trend analysis across departments. Regardless of whether they are reporting to leadership or understanding and planning for the growth of the whole firm.

“The data lake gives us access to vast quantities of data over time, allowing for analysis at scale and insight into deviations for certain business units or activity in our environment. With Cribl Stream, we’re able to notice malicious patterns, but we can also see more of the normal patterns that impact the business.”

Before Stream they could only collect limited data sets, which made it impossible for the team to see trends or patterns in their data — were certain events one-offs? Were they happening monthly? Every six months? Now they can eliminate the guessing game, maturing their security model, and approaching security proactively.
Accelerated Cloud Migration

The security engineering team has also used Cribl Stream to assist with and accelerate their migration to the cloud. Their old legacy tech stack included proprietary agents that were only there to support their specific SIEM. The newfound flexibility of using Stream to send relevant data in the optimal format to various tools, detections, and dashboards has made things much easier.

The security team is also making sure the rest of their organization benefits from Stream. No matter how impressive some of the other tools in their toolkit were, many of them could only ship data to one location or in one format. Now everybody gets the data they need, however they need it.

“With Cribl Stream, we can get the data our old SIEM collected, as well as any other data we want to collect. It allows us to serve other platforms and the other teams in our organization the right data. We can all work together now to collect data once and get it to everybody that needs it, in the optimal format.”

Easy Compliance With Regulatory Requirements
As a financial services firm, the team has to meet specific regulatory requirements, such as NIST. The retention and sizing for their data lake platform are based on what their analysts and security team need, but Stream helps them strike the right balance between compliance, cost, and access to their data.

“Cribl Stream allows us to retain data for compliance storage in a separate location and at a significantly lower cost. With this setup, we're able to check the boxes for compliance, but also know that our data is accessible if we need it.”

Democratizing Access to Data

Of all the reasons the team is happy to have Cribl Stream in their toolkit, this ability to democratize data is at the top of the list for them. In the past, they always found some limitations on the data he was able to collect, no matter the size of the company or the tools they had been using.

Even if he could collect it, whether or not it would be usable again would depend on the vendor it ended up with. Inevitably, only some of the data ends up indexed or searchable in a meaningful way.

“Cribl Stream gives us the visibility and data that we need, along with uninhibited access. We’re no longer limited by any of the tools in our toolkit.”

In talking to the other teams at the financial services company before bringing Cribl on board, the Security Engineering Leader and Senior Technical Architect noticed a general dissatisfaction with the state of data affairs. They’re happy to share that the feeling has all but disappeared.

“There was a discernible gap between what everyone wanted to be able to do and what they were currently able to do. Certain products wouldn’t work or return useful results, so they went unused. Cribl Stream is helping us make full use of all of our tools.”

Since they’ve integrated Stream into their architecture, they’ve been able to breathe a sigh of relief, knowing that they no longer have to worry about whether or not they have the coverage they need and full control over the data flowing through their security setup.

Find out more about how Cribl Stream can help you streamline the discovery, exploration, and storage of any data from any source, leverage schema-on-need to optimize storage and compute overhead, and dispatch only valuable data to any destination now and in the future.

Get Cribl, and take control of your data.
TL;DR

About Security Risk Associates

Security Risk Advisors (SRA) is a Cribl Partner who provides specialized security services including Cribl Engineering and Enablement, Penetration Testing, Purple Teams, Cloud Security, Resilience, Cyber Physical Systems Security, Engineering, and 24x7x365 Cybersecurity Operations. SRA’s mission is to “Level Up” every day to protect our clients and their customers. SRA delivers security services to Fortune and Global 1000 companies, innovating technology startups, and mission-oriented non-profits across Healthcare, Pharmaceutical, Retail, Financial Services, and Manufacturing industries. SRA is headquartered in Philadelphia, with offices in Rochester, and Kilkenny, Ireland. SRA is an official partner of Cribl (https://sra.io/cribl/).

About Cribl

Cribl, the Data Engine for IT and Security, empowers organizations to transform their data strategy. Customers use Cribl’s vendor-agnostic solutions to analyze, collect, process, and route all IT and security data from any source or in any destination, delivering the choice, control, and flexibility required to adapt to their ever-changing needs. Cribl’s product suite, which is used by Fortune 1000 companies globally, is purpose-built for IT and Security, including Cribl Stream, the industry’s leading observability pipeline, Cribl Edge, an intelligent vendor-neutral agent, and Cribl Search, the industry’s first search-in-place solution. Founded in 2018, Cribl is a remote-first workforce with an office in San Francisco, CA.

Learn more: cribl.io
Try now: Cribl Sandboxes
Join us: Slack community
Follow us: LinkedIn and Twitter

Pixel Mask

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?