Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and central access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›Cribl Copilot gets your deployments up and running in minutes, not weeks or months.
Learn more ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
September 25 | 10am PT / 1pm ET
Hold my beer: lessons from one team’s data pipeline journey
Register ›Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›May 19, 2022
I recently spoke with recovering SOAR founder JP Bourget, founder of BlueCycle, a SOC/MSSP Advisory Service. JP and his team have worked with more than 250 organizations, advising on SOC best practices, optimization, and improving security data pipelines and processes.
As he’s logged more than 20 years in cybersecurity, I wanted to chat with JP about observability trends in security, what he’s hoping to see as we enter #hoteventsummer (RSA, Snowflake Summit, Gartner Security and Risk, CriblCon, Black Hat, and DEFCON 30) with conferences shaping up to have huge attendance and lots to cover!
The TL:DR: You can connect with JP in Cribl Slack, on Twitter, or at BlueCycle.net, and if you’re a hacker AND a cyclist, you should check out Cycleoverride.org.
You can hear the whole discussion above, but I’ve excerpted some of the highlights below, mostly around how JP and co have delivered better security outcomes for MSSPs and enterprise SOC organizations using security data pipelines powered by Cribl.
Even though many security teams use the same technologies and tools, no two are the same in terms of the way they’ve configured and formatted the logs, meaning MSSPs have to reinvent the wheel every time they onboard a data source for a new tenant or customer.
Cribl and Cribl Packs gives JP’s team the ability to apply the same logic across all customers without writing, managing, and maintaining custom code and parsers just to get data into a SIEM. Splunk, QRadar, Sentinel, Exabeam, or a homegrown SIEM–doesn’t matter, Cribl makes it easy to build and reuse data pipelines.
Like MSSPs, individual organizations also benefit from the streamlined data onboarding process. In addition to onboarding the data more easily, data formats are normalized and enriched with valuable context, so there’s greater accuracy and less work to do in the SIEM or analytics system. In some cases, JP has seen customers reduce SIEM ingest cost by up to 60-65% by taking the approach of sending everything to cheap storage and sending only what they need to the SIEM.
If we’re talking about reducing the amount of data going into the SIEM, how does that jive with this notion of the more data you have in your security analytics platform, the more “secure” you are, or the more likely you are to effectively reduce risk?
All data is security relevant, but not all data needs to go to your SIEM to get the assurance you need. It turns out, that reducing the amount of data doesn’t impact the efficacy or change the risk profile for your organization. If you know your log sources, (or get some help from someone like JP) and, more importantly, what’s required to feed alerting logic, you can make smart decisions about what should go into your SIEM and what should go to S3.
Customers can send the data they need, enriched in the stream with additional context like IPs, geolocation, user ID, all normalized before it hits the SIEM, so you get much cleaner data, with a lower initial time investment to get data in.
We see customers able to bring in additional data sources, but only the relevant fields, so they still get the correlation they need to feed detection rules and alerting. And there’s an insurance policy–using Cribl’s Replay feature, you can pull data in from S3 for deeper investigations over longer time horizons.
In JP’s view, the SOCs core competency is and should be handling and figuring out how to deal with alerts; SOCs Core competency is not data ingest. Similarly, for SOAR the goal is not to be writing integrations but to be focusing on complex investigations.
“My mission in life is to build the cyber data pipelines to make it easy for the SOC operators to focus on investigating, responding and remediating to protect the business. Our team and Cribl facilitate the plumbing. Security analysts can focus on core competencies and do incident response–ultimately providing greater protection and insights for the business.”
Note that with the challenges in recruiting, training, and retaining security talent, part of the problem is that we’re asking them to do 5+ jobs. Context switching is hard. Focusing on core competencies makes it easy to onboard new analysts faster and helps them focus on a core area of expertise.
We talked a bit about Cribl’s vendor-agnostic vision for observability. JP got passionate again: “Here’s the thing, you should be able to own your data and not have break the bank to retain that data. And secondly, you want to be able to ask questions in future even if you don’t know the questions you want to ask today.”
More organizations are moving to the cloud and deploying multiple SIEMs, but still need to maintain some sense of cost control or cost reduction. Most well-funded cloud SIEMs, have some strategy to ingest logs, but that strategy does not include the reduction or processes and tooling to only bring in what you need to pay only for what you need. Cribl gives teams control of their data to send it the relevant bits to the relevant destinations where it will be most efficient to analyze and economical to store.
Thanks to JP and all of our customers who are helping us to build a great Cribl Community! If you’re just getting started with Cribl, you can check out our sandboxes, a guided experience with demo data at sandbox.cribl.io. There’s also a wealth of information, tips, tricks, and use case ideas on our blogs and Slack. We have user group meetings on the 2nd Tuesday of the month, and we just launched our Q&A forum curious.cribl.io.
Bradley Chambers Jul 31, 2024
Bradley Chambers Jun 28, 2024
Classic choice. Sadly, our website is designed for all modern supported browsers like Edge, Chrome, Firefox, and Safari
Got one of those handy?