“STREAM WAS A NO-BRAINER. IT WAS EXTREMELY EASY TO USE AND ADOPT. AFTER EACH CALL WE WOULD JOKINGLY INCREASE OUR DESIRED OUTCOME BECAUSE WE KNEW THE TOOL COULD BLOW IT OUT OF THE WATER.”
Director of Cyber Security Operations,
“A LARGE PART OF OUR STRATEGY WAS TO SEPARATE OUR HIGH-VALUE DATA INTO OUR PRIMARY SIEM AND OUR HIGH-VOLUME DAT INTO A SECONDARY, MORE COST-EFFECTIVE SIEM, CROWDSTRIKE LOGSCALE. WE NEEDED CRIBL TO WORK SEAMLESSLY WITH BOTH OF THESE SOLUTIONS.”
Director of Cyber Security Operations,
When the travel company expaneded, so did the responsibilities for their corporate security team. They needed to unify and secure their global footprint to maintain their security posture. Upgrading to Crowdstrike Falcon Data Replicator (FDR) met all of their requirements by furthering their Security Operation Center (SOC) with actionable insights from their Endpoint Detection and Response Solution (EDR).
However, after implementation, they found themselves facing an unexpectedly high volume of logs that exceeded the available license space and infrastructure capacity in their Security Information and Event Management (SIEM) tool, Splunk. This put them in the difficult position to prioritize which data they could onboard to drive detection content in their SIEM.
While searching for ways to manage their logging capacity and extract value from Crowdstrike endpoint telemetry data, their Director of Cyber Security Operations, was introduced to Cribl Stream.
“We worked with Cribl to optimize our FDR logs, and we really liked what we saw. We were able to solve our immediate issue with Crowdstrike FDR, by reducing our log volumes to the expected footprint without losing the context we needed for detection. This would allow us to remain within the licensing constraints for our SIEM.”Director of Cyber Security Operations
The Affordable Way to Desired Destinations
During the evaluation, the SOC team saw an immediate reduction in log volume, simply by leveraging the free Cribl Crowdstrike Pack. Cribl Packs, which can be found in the Cribl Pack Dispensary, are a set of readily available configurations designed to enable Cribl Stream administrators and developers to quickly reduce, optimize and enhance their Crowdstrike data.
“Using Cribl Packs we were able to achieve an immediate 50% reduction in the logs. From there we had team brainstorming sessions on how to reduce the volume of data without impacting the value. It was tricky, and it took us maybe 5-6 sessions, but we were able to achieve a 72% reduction, while still getting the context we needed for investigations.”Director of Cyber Security Operations
Making Data Travel Woes a Thing of the Past
After getting their logging volume under control, the team set their sights on the future: optimizing their security stack with Cribl Stream.
“A large part of our strategy is to separate data we would need for alerting purposes into Splunk, while data for retention and compliance purposes was directed towards affordable log retention, Crowdstrike LogScale. We needed Cribl to work seamlessly with both of these solutions.”Director of Cyber Security Operations
It’s important to note that there is no loss of data due to this segmentation. Instead of sending all FDR data directly to Splunk, Cribl is used to easily manage the data pipeline. Reduced, high-fidelity logs helpful for alerting are sent to Splunk, while voluminous raw logs, and logs for longterm compliance are directed to LogScale.
Although the strategy for SIEM Optimization sounds straightforward, the execution of sending the same data to disparate destinations usually requires leveraging each tool’s proprietary ingestion process. Cribl Stream acts as a unified pipeline, allowing several data sources to be modified and redirected, or even enriched with IOC or GeoIP data in flight. The SOC team discovered firsthand just how easy it was to leverage Cribl as part of the optimization process.
New Perspectives for Security
The combination of Cribl Stream’s routing and reduction functions gives the team the flexibility to spend less time managing data onboarding, configurations, normalization and licensing limitations. This provides them more time to focus on their jobs as security practitioners.
“With Cribl Stream, we reconfigured the data in one place, with a user-friendly GUI. You can make the changes in a matter of minutes and instantly see results–versus taking hours or days to understand the impact of your changes.”Director of Cyber Security Operations
“Stream was a no-brainer. It was extremely easy to use and adopt. After each call we would jokingly increase our desired outcome because we knew the tool could blow it out of the water,”Director of Cyber Security Operations
Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit www.cribl.io or our LinkedIn, Twitter, or Slack community.