Highlights
50% reduction in data storage costs
Cut engineering spend in half
Migrated SIEMs in three months
This Industrial Automation Manufacturer helps improve productivity by integrating control and information across enterprises. However, years of large-scale mergers and acquisitions resulted in the unintentional accumulation of disparate infrastructure and tools. Because integrations rarely went according to plan, certain technologies were left to linger, creating a complex environment.
The most pressing impact of this M&A-driven sprawl was the company's tech stack containing four different Security Information and Event Management (SIEM) tools. Having multiple SIEMs created silos, massive inefficiencies, and significant technical debt that cost the company a considerable amount of money. The Director of Security Operations realized that consolidation was impossible due to vendor lock-in and set out to find a solution that could finally give them control over their own data.
Freedom from vendor lock-in with Cribl Stream
The majority of the data in these SIEMs was either locked in that vendor’s tool or in a proprietary, unusable format. The Director’s team brought in Cribl Stream to give them the flexibility and visibility they needed into their data landscape.
“We brought Cribl Stream in as our middleware powering the data pipeline, and we've been using it to send data to our new data lake. This allows us to bring our data back in-house and decouple from our legacy SIEMs once the stored data meets retention requirements.”
– Director of Security Operations, Cyber Defense
Using Cribl Stream, they were able to migrate away from one SIEM completely in just three months with the other three soon to follow suit. The Manufacturer selected Microsoft Sentinel as a replacement for all four legacy SIEMs, paired with Azure Data Explorer (ADX) to further reduce storage costs.
“The company had been trying to modernize the SIEM over the past several years. With the team we put in place and Cribl as a partner, we were able to deliver on something we've been promising the organization for several years, in just one quarter.”
- Director of Security Operations, Cyber Defense
50% SIEM license savings via telemetry volume reduction
The Automation Manufacturer has realized several other benefits as a result of bringing on Cribl Stream, such as 50% SIEM license savings without sacrificing visibility. While they achieved most of that volume reduction by removing deduplication and unnecessary fields, Stream also gave the team greater data insights enabling them to identify other areas for data reduction, leading to optimized detection content to provide enhanced risk coverage.
“At one point, I thought something might be broken in our data lake because we weren’t getting the numbers I was expecting. Turns out it was because of the reduction and deduplication we made possible with Cribl. We were able to re-deploy the resource used managing data pipelines to enable more comprehensive security coverage.”
– Director of Security Operations, Cyber Defense
In addition to the SIEM consolidation cost savings, the Director can now re-deploy valuable security personnel. Before implementation, they needed two full-time engineers to support one of the SIEMs. Now one engineer can focus on data, and the other can focus on detection engineering.
Cribl gives the team the ability to quickly pivot data, manipulate it, and send it wherever they want, whenever they want. These capabilities allow the team to take something like data enrichment or transformation, that would traditionally be a week or month-long major project, and complete it in an afternoon, freeing up time for more valuable projects.
“Cribl allows you to do so many interesting things with your data before it ever gets ingested into a secondary technology. It gives people the ability to go out and do what they find interesting — which is to experiment and build new projects to help enhance our security posture.”
- Director of Security Operations, Cyber Defense
The Director is excited about this capability because it’s a very attractive value proposition for top engineering candidates. They are confident that it will also help with retention because it allows people to do more engaging, meaningful work.
Easy obfuscation and redaction of data for data privacy
With Cribl Stream, the Manufacturer is gaining the functionality to obfuscate data based on what’s important to their organization, instead of just the key fields that vendors decide are pertinent. Like many companies that operate in Europe, they are subject to GDPR and strict controls around how customer data is treated.
“If there are new works council changes or privacy issues that arise overseas, we now have more flexibility to address it more quickly than we did before Cribl Stream.”
- Director of Security Operations, Cyber Defense
In the past, those compliance issues forced them to hold onto certain vendors they could otherwise end-of-life to reduce license, storage, and infrastructure costs, as well as management overhead.
“We actually held on to one SIEM environment just because it could mask and unmask data. Now that we are using Cribl Stream to perform a similar function, we can remove an entire SIEM ecosystem that we kept in place for one fringe use case.”
- Director of Security Operations, Cyber Defense
Cribl Stream allows them to reinvest the money they saved into other initiatives to drive change and innovation for the organization.
Seamless adoption into and throughout the organization
The implementation of Cribl Stream went very smoothly. Apart from a quick call with the Cribl support team to address a few specific questions, they got everything up and running on their own. Adoption among different departments within the organization itself is also off to a good start.
“Our internal architecture engineering team is using Cribl as a solution for several problems that we've run into within the organization as well. It’s really starting to get traction outside of security-only use cases.”
– Director of Security Operations, Cyber Defense
For the team, the next steps are all rooted in optimization and process maturity, in anticipation of more automation down the road. After that, they plan on using Cribl Stream for more contextualization and enrichment of their data. They’re also looking at using Cribl Search to query their data at rest, and Cribl Edge to collect and process data from their Linux and Windows machines.
TL;DR
Seamless transition from four legacy SIEMs to Sentinel + ADX in three months
Reclaimed data locked into vendor tools in unusable formats
50% reduction in data storage costs
Easy data obfuscation and masking to meet GDPR requirements in EMEA
Identified and removed data sources ingested as duplicates
Seamless adoption of Cribl Stream into the organization
QUOTES
“With Stream, we’re able to manipulate our data at rest, determine hot versus cold storage requirements, and more things like that to optimize our savings.”
“We love how Cribl just sits in the middle, allowing us to route our data wherever we want and remove all the unnecessary fields.”
“The data ownership we get with Cribl Stream allows us to more easily avoid regulatory and compliance risks.”