At least once a week, a team reaches out to discuss migrating from an established SIEM or analysis platform. This major decision is influenced by several compelling factors, which can create significant work for engineering teams and pose risks to the business. The cost of switching to a new platform, often referred to as displacement costs, can be substantial. These expenses include maintaining a dual license and infrastructure costs during the migration period, training teams on a new complex product, and the cost/risk associated with actually transitioning to a new platform, which could jeopardize your security posture.
SIEM migration projects have probably never been more active, according to Cribl’s “Navigating the Data Current – Azure Sentinel and Google’s SecOps SIEM platforms are the two fastest-growing destinations for all data passing through Cribl Cloud.”
The displacement costs are substantial for two reasons: No vendor makes it easy to leave their platform, and this class of platform is more challenging than most. It is more important than ever to get your migration right the first time and not have to invest in rework when you discover that early decisions did not work out as expected. It is critical to emphasize planning before taking action. More planning should equal less rework and faster value post-migration. This guide will focus on developing a strategy centered around three key principles:
A smooth migration with as little disruption to your security posture as possible
Manage the impact on your limited engineering time.
Limiting re-work post-migration
The Short Story
A company recently engaged with Cribl to help build and execute a SIEM migration strategy. The company was in a pickle. Their SIEM vendor demanded a 25% increase for a flat renewal, and the company was already spending way too much on tools. Leadership was concerned they were not getting full value from their tool spend. The SIEM vendor thought they had leverage over the company due to a lack of control over data ingest and the engineering team being too busy to leave the vendor. The company was reluctant to move away from the vendor due to concerns over risk and lack of engineering time. Still, the massive price increase drove the decision to the highest levels and ultimately became a business decision. The vendor was out no matter what.
The SIEM owner contacted us, and we helped build a migration strategy that drove fundamental change across the Security and IT organizations. I like to start with a workload-based approach so no capabilities are lost during the migration. The company used its SIEM for many workloads, such as, SIEM, IR, threat hunt, data sharing, app support, etc.
The final solution architecture involved:
Moving SIEM/security workloads to the existing secondary SIEM
Moving observability and application monitoring use cases to two of the existing APM solutions and decommissioning the rest
Moving the data sharing and data analytics functions to the existing data lake house platform
Moving compliance/retention use cases to an object storage-based data lake
The only way to make this design work is to use a high-quality IT and Security telemetry pipeline offered by Cribl Stream. This pipeline enables data to be consumed through a common data plane and then brokered to the best destinations to handle each workload. A single event is produced once and then shared as required. A common example:
A firewall transmits syslog to Cribl Stream ->
Use case #1 - Stream determines the event is in scope for detection, enriches the event and sends it to the SIEM ->
Use case #2 - Stream determines this data is in scope for data sharing, clones the data, enriches the event and sends it to the Lakehouse ->
Use case #3 - Stream determines the data is in scope for retention, then clones the data, and ships sends the data to the data lake ->
Data is produced once and then shared as required.
The telemetry data control plane provided by Cribl Stream is the key to a migration strategy that enables every team to retain full functionality during and after the migration. This strategy limits rework and delivers faster value to every team as you migrate to your new architecture step by step.
With Cribl Stream between your sources and destinations, your existing SIEM gets all the data it has always received, including the good, the bad, and the ugly. Your detections and dashboards work as designed so your SOC and support teams do business as usual. Once you settle on your technical architecture, your Cribl team starts to clone data source by data source to our new destinations. The data is cleaned and optimized for the new platforms. All of your SOC/engineering/support teams can now start to build detections, alerts and all the tooling they have installed in your old SIEM in your new architecture. Since they have the same data as your existing solution, they can validate that everything works. Over time they can compare the results from the old and new to catch edge cases and increase confidence that everything is working as designed. Finally, teams can use the new architecture for day-to-day work but still preserve the old platform in case they need to roll back.
The best part about using Cribl Stream as your data control plane is that you do not have to perform hard data cutovers to migrate your data to new tools. Before having Cribl, my team had to follow this pattern and it was always a terrifying, “vaya con dios” moment. Are your new agents set up right? Is the parsing correct? Will dashboards work? Most importantly, will my detections give me the same results? I am sure the German language has a 20 character word for the longest second in your professional life while you wait to see if your new platform is working.
The go-no-go decision gets very easy because you know your data is under control, your content will work, and you have a rollback option in case something terrible happens.
The Benefits
Using Cribl Stream to clone your data to your new solution materially lowers migration risk. You maintain your security/monitoring/observability posture with no changes. Your new solution does not have to carry over the sins of the previous migration. You can optimize your cloned data to meet every requirement of your new platform. Finally, best of all, you dramatically lower the work and stress on your teams while you migrate your data. They can be thoughtful as they learn the new tool and thoroughly validate that everything works. No prayers or hope is required. Leadership can make a cutover decision based on the knowledge that everything will work as designed.
Post-migration, your team can control costs and get full value from their new architecture. If requirements change, they have a flexible framework that turns requirement changes into small efforts instead of big engineering projects. The best part is that your data tools are now interchangeable building blocks that can be replaced and not permanent fixtures that you are stuck with forever. This keeps your vendors honest and enables your teams to get work done with less effort.
Cribl provides companies with choice and control over their IT and security data. It’s your data. Your team has complete authority over how your data is utilized and, even better, how tools interact with it. No more limitations. No more worrying about whether your vendor supports your goals.
More Information
We are pleased to share a solution brief on the SIEM migration challenge to give you more detailed information on this vital strategy. It details how to plan your SIEM migration, including using Cribl Stream and Edge to achieve the above principles. We are very focused on making a challenging project materially faster and safer, so you can start seeing a return from your SIEM investment in months instead of waiting potentially years to finally cut over.
For more details, download the SIEM migration solution brief "8 Steps to Mastering Your SIEM Migration".
Coming to RSAC in San Francisco April 28-May 1st? Come by booth S-1755 and let's discuss your SIEM migration in person!
