SIEM Migration Simplified with Cribl and Data Pipelining

Overview 

A leading British bank faced the challenge of modernising its Security Information and Event Management (SIEM) solution. Having relied on Splunk as their primary SIEM, integrated with a third-party Security Operations Centre (SOC), the bank sought a more cost-effective and scalable alternative. The data sources feeding into Splunk included firewalls, audit logs, VPN logs, ServiceNow, and device logs, supporting stakeholder reporting and use cases like blocked IP detection. Apto were asked to support a SIEM migration strategy using Cribl and our skills both in the product and how could Cribl support such a migration using it’s advanced data pipelining tools. 

Migration Strategy 

The migration plan prioritised a phased, risk-managed approach to ensure stability and continuity. This is a key facet to using pipelining.

1. Development Environment Setup

• Data migration was first simulated in a controlled development environment.
• Splunk remained in production while Sentinel and Cribl were tested in parallel. 

2. Sample Data Testing

• Selected data was forwarded from Splunk to Sentinel via Cribl. 

• Tests validated use case translations and ensured compatibility with Sentinel’s Advanced Security Information Model (ASIM). 

3. Dual Live Running

• A dual-forwarding setup allowed both Splunk and Sentinel to operate simultaneously for a transitional period. 

• This reduced risks and provided time to address any gaps before Sentinel fully replaced Splunk. 

4. Full Production Rollout 

• Sentinel became the primary SIEM, with Cribl optimising data pipelines for efficient ingestion and management. 

The Role of Data Pipelining with Cribl 

Cribl’s platform was central to the migration; enabling streamlined, efficient, and compliant data handling. Key functionalities included: 

• Data Collection and Replay
  Cribl’s ability to forward full-fidelity logs to cost-effective storage solutions like S3 buckets allowed the bank to retain all raw logs for compliance purposes. The replay feature ensured critical logs could be retrieved and processed when needed. 

• Data Shaping and Enrichment
  Cribl enabled parsing and mapping of logs to Sentinel’s schemas, enhancing the bank’s ability to meet specific use case requirements while discarding unnecessary data. 

• Data Reduction and Routing
  By eliminating verbose and low-value logs, the bank significantly reduced the data volume sent to Sentinel. Cribl’s multi-source, multi-destination routing capabilities provided flexibility to direct data where it was most needed. 

• Seamless Dual SIEM Operation
  Cribl’s pipelines supported simultaneous use of Splunk and Sentinel, ensuring the migration could proceed without disruption. 

Specific Use of Cribl Products 

1. Cribl Edge
   Deployed on certain data sources, Edge forwarded raw logs into Cribl Stream for further processing. There are many benefits to Edge.
2. Cribl Stream

• Pre- and Post-Processing: Logs were parsed, transformed, and mapped to Sentinel schemas. 
• Data Volume Optimisation: Irrelevant logs were dropped, reducing storage and ingestion costs. 
• Full-Fidelity Storage: Separate pipelines for raw and processed logs ensured flexibility and compliance. 
• Replay Functionality: Allowed retrieval of raw logs for further analysis. 

Outcomes and Benefits 

The migration delivered a range of benefits that addressed the bank’s operational, regulatory, and financial goals: 

• Cost Efficiency
  Sentinel’s pricing model, combined with Cribl’s data reduction capabilities, significantly reduced licencing and storage costs. 

• Improved Compliance
  Retention of full-fidelity data in a compliant format ensured the bank met all regulatory requirements. 

• Operational Streamlining
  Enhanced familiarity with Sentinel and Cribl’s intuitive tools reduced reliance on external contractors and enabled the bank’s team to manage the system independently. 

• Scalability and Flexibility
  A future-proof SIEM setup, capable of handling increasing data volumes without escalating costs, was established. 

Conclusion 

This case study highlights how data pipelining tools like Cribl can revolutionise SIEM migration strategies. By decoupling data ingestion from processing, organisations can achieve unparalleled flexibility, cost savings, and compliance. 

For this bank, the transition from Splunk to Sentinel was more than a technology switch of SIEM—it was also a strategic move to modernise their security infrastructure and lay the foundation for long-term scalability and efficiency, with more control and flexibility over their data.