x

Case Study

How Siemens simplifies security operations with Cribl

star-round-framed
Highlights
  • Data volume reduced from approximately 7-8 TB input to a significantly smaller output.
  • Aggregating over 15-30 minute time periods, instead of handling individual events.
  • Overcame volume restrictions to onboard data sources they didn’t previously have room for.

“WITHOUT CRIBL, DATA WE NEED DOESN'T MAKE IT INTO SPLUNK, AND WE LOSE ACCESS TO CRITICAL INTEL.”

PEDRO BORGES,
SENIOR SECURITY ENGINEER

“CRIBL HAS BECOME PART OF OUR CRITICAL PATH, BUT WE'RE JUST KIND OF SCRATCHING THE SURFACE OF WHAT WE CAN DO. WE'RE LEVERAGING SO MUCH MORE AS EACH WEEK GOES BY.”

SCOTT SCHWARTZ,
SOFTWARE ENGINEERING SENIOR MANAGER

“THE PLAN IS FOR ANY NEW APPLICATIONS AND LOG SOURCES TO GO THROUGH CRIBL, SO THAT WE CAN TRANSFORM THE DATA AND REPLAY IT WHENEVER WE NEED TO.”

PEDRO BORGES,
SENIOR SECURITY ENGINEER

Share:

PDF COMING SOON
The Cloud Security Operations team at Siemens Foundational Services manages over 800 cloud accounts and environments for their internal customers. Historically, managing the enormous amounts of data from these clients was a monumental challenge. Since adopting Cribl Stream, they’ve been able to send much more crucial data into their Security Information and Event Management System (SIEM), and boost their threat detection capabilities.

One of the team’s goals is to continuously improve the security monitoring of their environment. Gaining more visibility into VPC flow logs and other high volume data sources had been a top priority for a while, but they were held back by the financial restrictions from their SIEM license.

The combination of Cribl and Amazon Security Lake finally opened up the possibility for getting the data they needed into Splunk.

“Ingesting that much data straight up from our different accounts wasn’t possible — until we learned about Cribl Stream. Now we have the flexibility to transform the data from Amazon Security Lake on its way to Splunk.”

Pedro Borges
Senior Security Engineer
Streamlined Data Onboarding Across the Entire Organization

Managing, onboarding, and routing logs from all these accounts used to require set up time from both the Cloud Security Operations (CSO) team and their internal clients. Now, Siemens uses Amazon Security Lake to aggregate logs from all accounts and regions into one central place and adjust data lifecycles as necessary.

But without a way to easily get that data to Splunk, the switch to Amazon Security Lake wouldn’t have been as beneficial.

“Cribl Stream came to our rescue by letting us simplify the ingestion into our SIEM. We no longer have to take time away to set up infrastructure to accommodate the passing of data from one environment to the next — we just use Cribl to send it right to our Splunk environment..”

Scott Schwartz
Software Engineering Senior Manager
Significant Reduction in Data Volumes

Since Amazon Security Lake supports Open Cybersecurity Schema Framework (OCSF) formatting, large, detailed file sizes are the norm, as are extra fields that don’t really have any relevance to Siemens and the security detections they implement. The ability to easily reduce this data made Cribl Stream the perfect complement to their Amazon Security Lake integration.

“We use the Cribl pipelines to take this massive JSON log format and just extract the fields that are critical to us. If we only really care about 10 specific fields, we reduce events to those 10 and that’s it.”

Pedro Borges
Senior Security Engineer
For VPC flow logs and S3 data, the team at Siemens also aggregates events over time, so they don’t use up bandwidth sending them one-to-one.

“We’re also using Cribl Stream to combine events. From a security detection standpoint, it's great because our analysts can just see if an endpoint was hit, instead of seeing the same event multiple times in a Splunk search. Then we can pivot into when and how many times, or dive into the raw data if we need to.”

Pedro Borges
Senior Security Engineer
Leveraging Cribl Search for Incident Investigations
The Cloud Security Operations team at Siemens is all in on Cribl Stream, and is just starting to realize the benefits of Cribl Search. During a recent investigation, they needed to figure out what was accessing some S3 objects, and found an easy solution.

“We had all the data in Amazon Security Lake, but I wasn't ready to start setting up Athena to start reading it. I decided to use Cribl Search instead, and within 5-10 minutes, I was able to start searching. It was relatively easy to implement, and I was able to get the data that I needed quickly.”

Scott Schwartz
Software Engineering Senior Manager
More Cribl in the Future
Siemens has had a lot of success so far with Cribl, and the team is excited to continue further down the same path to see what else they can do with it. Both EKS audit logs and WAF logs are next on their list of sources to tackle.

“We’ve struggled with WAF logs in the past, just due to the sheer volume. Using Cribl to do some similar reductions and summarizations is going to allow us to bring that data in and run it against the threat Intelligence detections that we have in place.”

Scott Schwartz
Software Engineering Senior Manager
Historically, when their internal clients wanted to send application logs, the CSO team would provide them with the right token, endpoint, index, source type, etc., so they could directly send data to Splunk. This workflow did work well, but didn’t always have the most efficient output.

“With our previous process, it was great that we were able to get those logs, but sometimes they contained a lot of noise. We've updated our process so that instead of going directly to Splunk HEC, they'll be going through the Cribl-Splunk HEC input, and we’ll get a lot of that space back.”

Pedro Borges
Senior Security Engineer
TL;DR
  • Using Cribl to process logs from Amazon Security Lake before ingesting them into Splunk
  • Eased log aggregation with Amazon Security Lake; enabled flexible transformation and search of that data with Cribl
  • Simplified ingestion of high-volume data sources like VPC flow logs, Route53 DNS resolver query logs, and CloudTrail S3 data events.
  • Reduced, transformed, enriched security log data before sending to Splunk for analysis
  • Extracted only relevant fields from verbose OCSF format logs for efficiency
  • Enhanced threat detection capabilities by enabling the ingestion and analysis of high-volume data sources previously unfeasible
More Customer Stories

About Cribl

Cribl makes open observability a reality for today’s tech professionals. The Cribl product suite defies data gravity with radical levels of choice and control. Wherever the data comes from, wherever it needs to go, Cribl delivers the freedom and flexibility to make choices, not compromises. It’s enterprise software that doesn’t suck, enables tech professionals to do what they need to do, and gives them the ability to say “Yes.” With Cribl, companies have the power to control their data, get more out of existing investments, and shape the observability future. Founded in 2017, Cribl is a remote-first company with an office in San Francisco, CA. For more information, visit cribl.io or our LinkedIn, Twitter, or Slack community.
Pixel Mask

So you're rockin' Internet Explorer!

Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari

Got one of those handy?