Cribl Powers an American Retailer’s 3-Week SIEM Migration and Security Maturity Journey

This American Retailer recently became an independent, public company. This divestiture was a major undertaking, requiring this retailer’s security team to separate and re-implement around 500 applications over a 3-year period.

As part of this process, the security team had to establish its own technology infrastructure, minimize their Splunk software costs, and evaluate and migrate to a new Security Information and Event Management (SIEM) solution. To achieve these goals, they turned to a combination of Cribl Stream and Cribl Edge.

Data collection and cutting costs

One of the first use cases the security team tackled was optimization of their data to reduce their daily ingest. They used Cribl Packs and custom pipelines to reduce high volume sources, such as Windows Event Logs and Palo Alto Firewall logs. Across all the reduction, the team was able to reduce their daily ingest by approximately 25%.

“Prior to using Cribl, we licensed 1TB per day of Splunk software ingest – a license we regularly exceeded.  Implementing Cribl Edge reduced data ingestion so significantly that, when it came time to renew, we were able to reduce our license to just 750GB a day.”

Senior Cybersecurity Manager

Cribl Edge also played a significant role in the security team’s data reduction efforts. The security team replaced Splunk Universal Forwarders on domain controllers and DNS servers with Cribl Edge nodes, simplifying data collection architecture and allowing for streamlined upgrades. Using Cribl Edge allowed the security team to collect, filter, and parse data, such as Windows Event Logs and SMTP logs, at the source before it reached the Splunk software environment to further reduce ingest and prepare for a seamless migration.

Evaluating SIEM solutions

During the divestiture process, this retailer was under the impression that it would need to split its data and route to multiple SIEMs. They used Cribl to prepare for this process and give them choice, control, and flexibility no matter where they needed to send data. While this ended up not being necessary as part of the divestiture, validating this functionality was key to their next phase for security growth. 

“While the other company eventually went with a third-party MSSP and we ended up not needing to split and route data to multiple SIEMs, we did test and validate the process, so we knew that it worked.”

Senior Cybersecurity Manager

Once the divestiture was complete, the retailer decided to rethink its SIEM tooling. The team evaluated three potential SIEM solutions, leveraging Cribl to streamline the process while minimizing operational impacts. Their experience preparing to route to multiple destinations previously was leveraged during this process.

“With Cribl, we were able to quickly perform a proof of value (POV) with all three SIEM solutions without impacting our existing SIEM. It allowed us to split data, route it to different destinations, set up SIEM capabilities, and mask sensitive data to evaluate each solution.”

Senior Cybersecurity Manager

Streamlining SIEM migration

After selecting Google SecOps as its SIEM solution, the security team kicked off the migration process. Before Cribl, this would have been a complex process expected to take months due to complex data flows and syslog architecture. To simplify this, the security team replaced their Splunk Universal Forwarders (UFs), domain controllers, and DNS servers with Cribl Edge nodes before the migration to prepare.

“When we came to the actual transition to SecOps, having a centralized logging platform made a massive difference. It made the SIEM migration really easy. 99% of our SIEM data now flows through Cribl.”

Senior Security Engineer

This simplified architecture, combined with their MSSP’s ‘plug and play’ process for deploying SIEM solutions, allowed the team to migrate SIEMs in just three weeks – significantly faster than the industry standard of six to nine months.

“By creating reusable content compatible with any SIEM and leveraging Cribl for streamlined data ingestion, our MSSP eliminated the need for SIEM-specific configurations. This allowed us to integrate data sources and content, achieving full operational set up within three weeks.”

Manager of Threat Operations

As the team moves forward with their new SIEM they see the opportunity to rethink their data tiering strategy. They can get more from their budget by thinking through which data they’re using to populate detection content in the SIEM versus data they are just retaining for compliance purposes and “what if” scenarios. By thinking through which data needs to go where to deliver the most value back to the business, the security teams are optimizing budgets while reducing operational risk.

TL;DR

• Cut Splunk software ingestion costs by 25% (1TB/day to 750GB/day) using Cribl Stream and Edge.

• Streamlined data management by replacing Splunk UFs with Cribl Edge nodes.

• Leveraged Cribl products to simultaneously execute three SIEM proof-of-values without impacting existing operations.

• Accelerated SIEM migration to Google SecOps from 6 months to 3 weeks using Cribl for efficient data collection and routing, with 99% of data flowing through Cribl.