After taking a closer look at their security architecture a few years ago, the team at a Fortune 500 financial advice and investment services firm decided it was time to upgrade their tooling. Poor data quality and the subsequent bugs that would routinely pop up prompted the desire to shift to a more modern, cloud-native infrastructure.
They made it a point to only work with tools that would integrate well together and scale with the organization, allowing for growth without being tied to specific vendors. By partnering with Security Risk Advisors (SRA), a trusted MSSP, they choose Microsoft Sentinel and Palo Alto XSOAR as the foundation for their SOC operations, and Cribl Stream to route data to those and other current or future destinations.
“Once we discovered that Cribl could multiplex data out to different destinations, it started to fit really well into our plan–including our desire to build a data lake. Having it at the core of our toolkit was very attractive — with Stream, we had options.”
Security Engineering Leader
With help from SRA, the team finished replacing their SIEM and built out their data lake with Azure Blob Storage. They were able to perform even more complex analytics, incorporating statistical analysis and elements of machine learning.
More Sophisticated Threat Modeling and Detection
From a detection capability and strategy point of view, the team has finally implemented some of what they’ve been envisioning for a while. Standard out-of-the-box detections helped the team to get baseline risk coverage, but to get the coverage the security team needed and wanted, they needed specific data and the ability to build custom detections on that data in line with the priorities for the business.
“With Cribl Stream in place, our detection capabilities are much more robust. Now we can identify more than just the very obvious things that our web application firewall or endpoint agents tell us.”
Senior Technical Architect
The senior technical architect can now sit with different teams on the technology and business sides of the organization and put all the pieces together. He can understand normal and expected behaviors–as well as what’s anomalous– to do more sophisticated threat research and modeling.
Better Reporting and Insights Into Business Activities
Having a data lake benefits not just the security team, but the rest of the business. Easy access to clean, historical data allows for trend analysis across departments. Regardless of whether they are reporting to leadership or understanding and planning for the growth of the whole firm.
“The data lake gives us access to vast quantities of data over time, allowing for analysis at scale and insight into deviations for certain business units or activity in our environment. With Cribl Stream, we’re able to notice malicious patterns, but we can also see more of the normal patterns that impact the business.”
Senior Technical Architect
Before Stream they could only collect limited data sets, which made it impossible for the team to see trends or patterns in their data — were certain events one-offs? Were they happening monthly? Every six months? Now they can eliminate the guessing game, maturing their security model, and approaching security proactively.
Accelerated Cloud Migration
The security engineering team has also used Cribl Stream to assist with and accelerate their migration to the cloud. Their old legacy tech stack included proprietary agents that were only there to support their specific SIEM. The newfound flexibility of using Stream to send relevant data in the optimal format to various tools, detections, and dashboards has made things much easier.
The security team is also making sure the rest of their organization benefits from Stream. No matter how impressive some of the other tools in their toolkit were, many of them could only ship data to one location or in one format. Now everybody gets the data they need, however they need it.
“With Cribl Stream, we can get the data our old SIEM collected, as well as any other data we want to collect. It allows us to serve other platforms and the other teams in our organization the right data. We can all work together now to collect data once and get it to everybody that needs it, in the optimal format.”
Senior Technical Architect
Easy Compliance With Regulatory Requirements
As a financial services firm, the team has to meet specific regulatory requirements, such as NIST. The retention and sizing for their data lake platform are based on what their analysts and security team need, but Stream helps them strike the right balance between compliance, cost, and access to their data.
“Cribl Stream allows us to retain data for compliance storage in a separate location and at a significantly lower cost. With this setup, we're able to check the boxes for compliance, but also know that our data is accessible if we need it.”
Senior Technical Architect
Democratizing Access to Data
Of all the reasons the team is happy to have Cribl Stream in their toolkit, this ability to democratize data is at the top of the list for them. In the past, they always found some limitations on the data he was able to collect, no matter the size of the company or the tools they had been using.
Even if he could collect it, whether or not it would be usable again would depend on the vendor it ended up with. Inevitably, only some of the data ends up indexed or searchable in a meaningful way.
“Cribl Stream gives us the visibility and data that we need, along with uninhibited access. We’re no longer limited by any of the tools in our toolkit.”
Senior Technical Architect
In talking to the other teams at the financial services company before bringing Cribl on board, the Security Engineering Leader and Senior Technical Architect noticed a general dissatisfaction with the state of data affairs. They’re happy to share that the feeling has all but disappeared.
“There was a discernible gap between what everyone wanted to be able to do and what they were currently able to do. Certain products wouldn’t work or return useful results, so they went unused. Cribl Stream is helping us make full use of all of our tools.”
Security Engineering Leader
Since they’ve integrated Stream into their architecture, they’ve been able to breathe a sigh of relief, knowing that they no longer have to worry about whether or not they have the coverage they need and full control over the data flowing through their security setup.
Find out more about how Cribl Stream can help you streamline the discovery, exploration, and storage of any data from any source, leverage schema-on-need to optimize storage and compute overhead, and dispatch only valuable data to any destination now and in the future.
Get Cribl, and take control of your data.
TL;DR
Put Cribl at the center of its shift to a modern, cloud-native infrastructure.
Increased threat detection sophistication and capabilities.
Gained new insights into patterns that impact business activities.
Accelerated migration to cloud-native infrastructure.
Easier compliance with regulatory requirements for data retention.
More visibility and easier access to data no matter the vendor or destination.