June 9th, 2022
Reducing Splunk spend with LimaCharlie
Ross Haleliuk
Endpoints as well as applications such as AWS, Google Cloud, Office 365, 1Password, Slack, and thousands of others produce vast amounts of data. The volume of security data is growing, and this growth will continue for the foreseeable future. This, in turn, leads to several challenges:
To detect threats and respond to incidents, it is not sufficient to simply collect all these logs. You need to have the ability to bring them all into one place for correlation and a holistic view of your security posture.
To meet the compliance requirements, organizations need to store security data for a set amount of time; a solid data storage strategy is also a prerequisite for retroactive threat hunting.
Data storage is expensive which forces organizations and security teams to sacrifice visibility and trade it for cost reduction.
To solve these problems, many companies have adopted Splunk as their SIEM (security information and event management) platform. There are many benefits of using Splunk - increased efficiencies, improved visibility, saved time, and increased resource utilization. It’s no wonder that the company was named a leader in the SIEM market for eight years in a row.
Splunk makes it easy to collect all the data from across the organization. The downside of that ease is the price. As anyone who uses Splunk knows, if not controlled well, the bill can skyrocket. The company is notorious for high cost, so much so that it sometimes becomes a center of jokes in cybersecurity circles.
Pricing challenges aside, Splunk solves the problems really well for some customers and is here to stay. The great news is that with LimaCharlie, pricing is no longer a concern.
LimaCharlie enables users to reduce Splunk spend and increase visibility while giving security teams more control over their data. In this post, we will walk you through four steps to achieve it.
Fundamental challenge
The best way to save on Splunk is to reduce the amount of data that needs to be sent to Splunk, to begin with. While this is obvious, it introduces a fundamental challenge: while not everything needs to go to Splunk, if you filter it out, you will end up losing potentially valuable data.
When we talk to customers, we often hear them say something along the lines of: “Out of 100GB I am sending to Splunk, I probably need between 10% and 30% of that data to go there, but I don’t want to lose the rest”.
This is why using LimaCharlie with Splunk can be a great solution.
LimaCharlie for telemetry storage & cost optimization
Collect the data from any source
LimaCharlie extends the definition of a sensor beyond just the event collection from the endpoints. LimaCharlie sensor collects endpoint, network, and external log telemetry that is then displayed in a single interface and can have detections, automations, and response rules applied at wire speed.
LimaCharlie has the ability to ingest logs or telemetry from any external source in real-time. Includes built-in parsing for popular formats (Carbon Black, Google PubSub, Office 365 logs, Google Cloud Audit logs, 1Password, and more), with the option to define your own for custom sources.
Cost-effective full telemetry retention
LimaCharlie offers 1 year of full telemetry storage and search capability at no extra cost. This means that not only detections but all endpoint, network, and external logs telemetry will be stored in LimaCharlie, making our offering one of the most cost-effective ways to store your security data.
Using the web-based interface, users can interact with individual endpoints in real-time or search and explore a year’s worth of data and quickly see the extent of the compromise.
Send the data where it is needed
One of the easiest ways to save on Splunk is to reduce the amount of data that needs to be sent to Splunk, to begin with. While LimaCharlie’s 1 year of full telemetry storage is a helpful first step, the next step is to decide where else you want to send your data and what exactly you want to be sent.
Users have the ability to send any of the following types of data (streams) to any external destination:
events directly emitted from sensors
detections reported by the rule engine
deployments representing new sensors coming online
audit logs for management activity within LimaCharlie
artifacts collected from sensors or uploaded via API
events selected using the "output" action of D&R rules
Control the granularity of what is sent
LimaCharlie outputs allow you to adjust the granularity of the data you want to share. Choose to send different event types to different destinations; decide to send emails only about high severity detections, or otherwise create the rules that fit your workflow.
You have the ability to control what data is sent by leveraging our advanced filters & configurations which include:
send the data only from a specific sensor or a group of sensors
send (or exclude) specific event types
wrap JSON event with event type
flatten JSON to a single level
Gzip files
only forward the original logs (excluding the routing label), to remove any additional overhead
and many others.
Other advantages of using LimaCharlie for data storage
By using LimaCharlie for data storage & Splunk cost reduction, you are automatically gaining access to many other powerful capabilities that security infrastructure as a service approach enables, including:
Endpoint Detection & Response (EDR)
Windows Event Log monitoring
Yara Scanning
Atomic Red Team, Velociraptor, SOC Prime, and other integrations
Once your telemetry is flowing into LimaCharlie, it is easy to try any other security products and experiment with different vendors without having to reconfigure your whole setup. To send telemetry to a new security product, simply configure a new LimaCharlie Output. This allows you to have full visibility of where your security data is going, what exactly is going there, and granular control to decide what you want to send. Whether you want to output DNS traffic, detections from a single endpoint, or one specific event from a group of sensors - LimaCharlie’s advanced controls enable you to be as specific as you need to be. To stop the flow of data to any destination, simply remove the corresponding Output in LimaCharlie.
Conclusion
By introducing LimaCharlie in the middle, between data sources (Sensors) and destinations (Outputs), security teams can reduce Splunk spend, increase visibility, and gain full control over their data.
LimaCharlie’s pricing is fully transparent, and you can get started without having to attend a demo or talk to the salespeople. Having said that, our security engineers are always happy to help with your use case and to suggest optimal ways to solve your problem.