The number of sources from which organizations consume data has increased 32% over the last year, with one-fifth saying they pull from 10 or more sources, according to the first “Navigating the Data Current” report from cloud platform and services provider Cribl.
The study was created from telemetry data collected from Cribl.Cloud users, who use its data engine for IT and security teams to route, manage, store and search that data.
The reason for this data explosion, of course, is the hunger for more. “If you’re already trying to bring on as much data as you can, the one way to make your platforms more valuable is to give them more data,” explained Nick Heudecker, senior director of Market Strategy & Competitive Intelligence at Cribl. “So the appetite for companies, nearly a fifth of them, is pretty substantial, to bring in a lot more diverse data. They get a better idea of what’s happening in their environment.”
With the increased amount of data organizations are consuming from an increasing number of sources comes the issue of securing that data. Where organizations in the past could put up a firewall and require simple password authorization to access data, today’s diverse landscape broadens the possibilities for human error as well as attack vectors for bad actors.
Organizations are looking to collect logs, events, metrics and traces – what Heudecker called the “quad-fecta” of observability, as well as data coming off firewalls, applications, Kubernetes environments, Windows machines, and “everything you can think of,” he said.
For now, Heudecker said, Splunk remains the most popular source of telemetry data. But as the need or desire to work with non-cloud SIEM systems grows, Amazon S3 is growing in popularity, he said.
One thing the study revealed is that while these organizations consume data from multiple cloud and on-premises sources, only 11% of Cribl.Cloud customers send data to destinations in more than one cloud service provider.
Heudecker said those Cribl customers are looking for modern platforms with better automation and better capabilities for data management. “Maybe not everything needs to go to a SIEM; maybe some of it needs to get peeled off and go to cheaper storage, long-term storage,” he said. “So companies are increasingly sending their data to multiple SIEM products.”
One driver for this desire for diversity is the cost of locking in to multiple service providers. “There are companies interested in trying things like Google SecOps (formerly Chronicle) and Microsoft Sentinel, and we also see a lot of CrowdStrike use as well,” Heudecker said. “And they’re thinking, if this Sentinel is bundled with my E5 deal, I owe it to my CFO to check it out, right? Is it going to work for me?”
Cribl enables its customers to take data from any agent and send it to any other SIEMs, reducing the cost of experimentation.
You may also like…
Q&A: What the consolidation of the SIEM market means for IT
Securing client-facing apps in a hostile, risk-filled 21st century