Challenge
Cribl’s security team found it difficult to track down resources, collate information, and associate it with specific risks.
To support its rapid growth, Cribl’s developers could spin up resources as needed, but the team also had to ensure unused resources were removed.
To work more efficiently, the company’s small security team sought to consolidate multiple security use cases into a single solution while still maintaining exemplary outcomes for each use case.
Solution
Cribl uses Wiz as a single pane of glass to view, manage, and prioritize remediation across its cloud environments.
With this improved visibility, Cribl can identify unused resources, have more informed conversations with developers about what’s being used, and prevent resource sprawl.
The Cribl team relies on Wiz CNAPP to manage multiple security use cases — from monitoring cloud misconfigurations and vulnerabilities to real-time threat detection—in one place.
Reduced cloud footprint & costs
by removing unused resources
Days to minutes
reduction in time to identification and remediation, improving overall security posture
Tool conslidation
into a single security solution, improving interoperability while reducing integration costs
Securing data for discerning cloud security professionals
As an organization that offers products and services to other IT and cloud security teams, Cribl has to ensure its own cloud security infrastructure is top-notch. The company provides enterprise organizations with a data engine that collects, processes, routes, and analyzes data to support IT and security teams’ ever-changing data needs. Founded in 2018, Cribl has grown from a team of dozens to more than 600. Meanwhile, securing its infrastructure has become more complicated.
We can’t compromise on security, especially because we’re asking other security teams to trust us. We have a very security-first executive team, and they understood that we needed active monitoring, secure configurations, vulnerability scanning, and everything in between to serve ourselves and our customers.
Rory McEntee, Senior Manager of Product Security, Cribl
The company’s small security team relied on native security features from their cloud providers to monitor their environment. Still, they sought more scalability as they looked toward a more complex, multi-cloud future. “When we were a company of 30 people, we were focused on growing quickly ,” says Steve Litras, Senior Director of IT & Security at Cribl. “But as we’ve scaled, the focus has begun to flip toward solutions that can support our growth.”
As the organization’s cloud environment evolved, the team found that tracking down resources, collecting information about them, and associating all that information to a specific risk took hours of manual work. “I needed visibility into things that would take so long to tool together,” says Randy Rinehart, Principal Product Security Engineer at Cribl. “Without a way to get real-time data about what’s happening in your cloud, especially while growing so quickly, you risk overlooking something.”
Beyond monitoring and remediation, the team also set goals to reach more stringent compliance frameworks. “Every one of those frameworks—from NIST to ISO—requires you to know exactly what resources you have, so we needed a solution that provided that visibility. With Wiz, everyone at Cribl is more conscious of what they're doing in the cloud,” Rinehart adds.
Providing instant visibility across a rapidly expanding environment
After implementation, the Cribl team started to build Wiz into the core of its cloud security strategy. The first step was continuing to understand its complete cloud inventory. With the security graph, the team could see its entire environment, pull asset inventories, scan for vulnerabilities in a single place, and pull IP ranges for pen testers. “I expected we'd need multiple security tools because I only knew the limitations of other CSPM solutions,” says Rory McEntee, Senior Manager of Product Security at Cribl. “But I was wrong. Right off the bat, Wiz gave us visibility into our environment and valuable metadata about our entire cloud.”
Reviewing assets was a vital first step, but the team also wanted to automate aspects of its security workflows. “We connected Wiz to JIRA because that's how we ticket our engineers,” Rinehart shares, “and integrated Wiz with Slack to share updates directly with specific teams. We also have a few larger channels that reach across groups because the more eyes on risks, the better.” Similarly, the team uses Wiz projects to create access-based assignments, so users can get the necessary information without sifting through excess data.
Wiz empowers us to enforce patch management because we have better visibility. We can find, understand, and communicate about risks, then act on them, without having to spend valuable time collecting data. It helps me sleep at night knowing our systems are automatically patched.
Randy Rinehart, Principal Product Security Engineer, Cribl
Cribl also built specific configuration rules into Wiz, ensuring that alerts sent through these automated channels are critical for the organization. Combining improved visibility with these automations enables the security team to easily track down, discuss, and remove unused resources. “Previously, developers found it easier to terminate a virtual machine than remediate an issue in a pre-production or sandbox,” says Rinehart. This visibility has not only reduced attack surface, it’s also helped reduce overall cloud costs. “Since we operate on a public cost base, it’s easy to spin up a resource, forget it existed, and we end up paying for something we don’t need. With Wiz, workloads have plummeted by a few thousand as more unused, forgotten resources have been deactivated.”
With improved monitoring, the security team can confidently provide developers more freedom and flexibility to build and test new features and deploy quickly while remaining secure. “Our developers and engineers now feel empowered to build whatever they want, and we can still clearly see which resources are created where, so we can protect them,” adds McEntee. Going forward, the team is working with certain teams that are writing Infrastructure as Code (IaC) who want to gain insights before they deploy. Using Wiz Code is helping Cribl shift further left by building security steps sooner and sooner into the development process.
Creating an interconnected security environment by consolidating security tooling
The team continues to evaluate each piece of their security tooling carefully before selecting an option. “We like not having to adopt more tools, but we aren’t just selecting Wiz solutions because of that bias. it continues to be the right fit,” Rinehart says. By accessing a wide array of security solutions in a single place Cribl has gradually found more and more ways to use Wiz across its cloud. Most recently, it deployed the Wiz Runtime Sensor in its Kubernetes clusters for real-time detection and response. “The sensor is fast, high performance, and focuses on real attacks,” says Rinehart. “It's helping us uncover anomalous events and getting that information back to Wiz, so we can address them.” Next the team has plans to deploy the Linux sensor, which they have already seen the value in preview.
They also leverage Wiz CDR and the cloud native forensics capabilities to quickly and accurately investigate threat detections . “A few months ago, we had an incident related to cryptominers in one of our sandboxes,” Rinehart shares. “I had to do all of the investigation manually to understand the situation. The next time we had a similar incident, we had Wiz Forensics, and we were able to send a snapshot to a new account in minutes.”
With Wiz, our cloud security process is more standardized; It's easier for other people to step in to see everything, understand it, and remediate. Now, when our Principal Product Security Engineer goes away, we miss him, but Cribl doesn't fall apart.
Steve Litras, Senior Director of IT & Security, Cribl
"With all of these tools working together, it’s easy to see what’s happening, identify issues, and remediate because we know what we were dealing with so fast,” says Litras. Consolidating its security stack with Wiz also makes reporting and sharing information easier than ever. “When we bring an issue to somebody, if they understand what we're saying, they try to move on it pretty quickly,” says Litras. “The Wiz security graph helps us explain to developers why an issue matters, with all of the information in one place.”
Partnering with Wiz to expand security coverage
Cribl continues to work with Wiz’s sales and support teams to implement new features as they’re released, provide feedback on existing products, and even set up monthly calls to stay ahead of launches. “It’s hard to keep up with all of the new features, but if something releases, and we see value, we’ll turn it on immediately,” said Rinehart. One example was Wiz Forensics, which helped Cribl reduce a lengthy manual investigation to minutes.
“With Wiz, we can give our customers the confidence we’re going to secure their data which has reduced our sales cycle. We’ll continue to invest in it because we see the impact,” adds McEntee.
