“WITH CRIBL.CLOUD, WE SUCCESSFULLY HIJACKED THE ENDGAME DATA STREAM. EVEN BETTER, I CARVED UP ALL SEVEN DIFFERENT DATA TYPES IN THE ENDGAME STREAM, SENDING EACH ONE TO ITS OWN PIPELINE.”
INFORMATION SECURITY ARCHITECT
“I SPENT A COUPLE OF WEEKS CASUALLY WORKING THROUGH CRIBL PIPELINES TO DO THE MOST REDUCTION OUT OF THE GATE. WE’RE REDUCING 9.25TB OF DAILY EDR DATA DOWN TO A LITTLE OVER 5TB A DAY — 41% TOTAL REDUCTION. INSTEAD OF HOLDING DATA IN ELASTIC FOR SEVEN DAYS, WE’RE HOLDING IT FOR 45.”
INFORMATION SECURITY ARCHITECT
To spot unusual activity on endpoints, including point-of-sale (POS) devices, Sally Beauty’s security team wanted a cleaner way to bring Endgame endpoint detection and response (EDR) data into Elastic Cloud. “Like many data sources, Endgame doesn’t let you pick and choose which components of the data stream you send, and where,” says Sheldon, Information Security Architect for Sally Beauty. That meant some data sent to Elastic Cloud was redundant. Other data wasn’t properly converted to the Elastic Common Schema (ECS), slowing down threat investigation and remediation.
“We wanted a more resilient and flexible data pipeline,” Sheldon says. The immediate need was converting the right Endgame data to ECS, and dropping unneeded fields to make room for additional data sources and retain relevant data for longer.
Sally Beauty saved even more time by replacing its syslog-ng and Logstash servers with redundant Cribl workers. The cutover was “quick and relatively painless,” according to Carmichael. “Compared to our syslog-ng and Logstash servers, Cribl pipelines are much more straightforward to manage, and they give me both GUI and command line access,” he says. He estimates that his team manages Cribl in one-quarter of the time they spent managing Logstash and syslog. “We don’t want our security engineers spending hours becoming wizards in Elastic, Logstash, and syslog-ng,” says Sheldon. “With Cribl, they don’t have to, which frees up more time for our real jobs — security. That’s Cribl’s biggest ROI.”
The redundant Cribl workers also make the data engine more resilient and easier to manage. The team performs rolling upgrades and maintenance on individual workers without interrupting the data flow.
Besides moving Endgame data into Elastic, Sally Beauty also uses Cribl to pull IT and Security data from sources that don’t have the capability to push, like their Network Detection and Response (NDR) solution and Microsoft Office365. “Before Cribl, to pull data from our NDR solution and O365, we had to run python scripts on separate servers acting as middleware to pull the data we wanted. That just adds to the systems and resources to maintain, along with everything else we have to manage manually vs in an automated fashion.” says Sheldon. “Cribl allowed us to collapse multiple functions and resources into a single solution with enterprise-grade support,” said Sheldon. This resilience, time savings, and flexibility is what ultimately persuaded Sheldon’s leadership to invest in Cribl.
Now Sheldon is planning to use Cribl to modify the Endgame dataset to emulate Elastic Agent data streams. “By doing this we can take advantage of Elastic’s hundreds of built-in detections, and add custom exclusions that persist when Elastic updates its rules, without having to modify each rule every time there’s an upgrade,” he says. The potential time savings are huge. Today the team has to clone the built-in detection rules, modify the observed indices in the rule to include Endgame, and add custom exceptions to tune the rules to Sally Beauty’s environment.
By using Elastic’s built-in detections and the modified data stream from Cribl, Sheldon expects to save significant time supporting upgrades, and to strengthen the company’s security footprint by using more properly tuned and updated detection rules. “A future version of Elastic might give me that capability,” he says. “But the fact that I can do it today with Cribl is pretty awesome, and allows me to apply the same functions to any other observability data we bring into our pipeline.”
Next up for Sally Beauty? Using Cribl to enrich the Endgame stream — for example, by mapping IP addresses to the device’s location (geo-IP) and incorporating threat intelligence. Wrapping up, Sheldon says, “We’ve seen big benefits from Cribl, and I’m a fan. If anyone reading this comes to a Cribl meetup, look me up if you want to talk nerdy.”
Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit www.cribl.io or our LinkedIn, Twitter, or Slack community.