50%
reduction of costs
85%
reduction of MTTR

We’ve evaluated different solutions and Axoflow checked all the boxes.

Problem
Customer has security data management responsibilities to send data to their SIEM. Spread across more than 40 locations around the world, a lot of data was never properly formatted or parsed. Years of sending unstructured data to the SIEM (Splunk) has resulted in a costly and overloaded SIEM heavily dependent on their internal user knowledge base which was also shrinking as long time employees were leaving the company.
The customer wanted to modernize their SIEM including collection, transformation and transport systems to their cloud-based SIEM, storage and AI applications. However, the main driver for this motivation was to control the costs of data going to the SIEM. These costs have continued to rise year-over-year as the customers’ data rates continue to grow. At implementation the customer was sending approximately 2 TBs/day to Splunk. The customer was planning to increase their security coverage by 100% meaning their pricing tier would move well above 3+ TBs per day. Realizing the burden of manual configuration management, the customer soon realized an automatic data pipeline is the best choice to begin containing their ever-growing SIEM costs and give them flexibility in the future.
Deployment
Axoflow deployed the Axoflow Platform across geographies operating both on-prem and in the cloud. The customer uses Axoflow Console as a SaaS offering. In each location, an AxoRouter is deployed in both on-prem and in cloud environments to collect syslog data from various sources. It does all the heavy lifting of automatic data classification, parsing and routing to the appropriate destinations. Monitoring and management are centralized through the Console. Operators have access to the Console where they can view the overall performance, health, and data flows of their security data pipeline. They also gained insights into rogue devices sending logs or the opposite missing expected logs from sources. The user established policies to define default behaviours for such cases and alerting rules are now in place to ensure flawless operation.
Tech stack
Splunk Cloud
Secureworks XDR
Splunk UF/HF
syslog-ng servers
Axoflow products used
Axoflow Console
AxoRouter
Benefits
- Centralize and reduce the overall cost of security operations.
- Simplify day-to-day operations, identify incidents, reduce MTTR, increase visibility and control.
- Improve data quality that reaches the SIEM (schema and labeling).
- Add flexibility using routing, change tools, and backends at will.
- Overall system health check and alerting.
Results
For Windows events the reduction was even more dramatic with Axoflow reducing Windows traffic by 55%, this includes the transformation of the data to a more compact format and eliminating frequent but unused events from the data stream.
The 3rd largest data source was ZScaler. Apart from reducing the data volume by 36%, we also identified that some of the Customer’s ZScaler devices were using different logging formats, resulting in non-uniform parsing rules at the SIEM.
HealthCheck Benefits: Aside from the main goals of data optimization for the SIEM, Axoflow Console identified several health issues within the environment:
- Message drops
- Syslog parsing issues
- Sudden peaks of internal logs going to Splunk
- Multiple abandoned disk buffers
Axoflow Console provided root cause analysis of the data buffers being full on the heavier-loaded forwarders and cross-checked to the configuration buffer size, resulting in a more efficient processing flow with alerting in place and no more data loss at peak data rates.
The Console also showed multiple misparsed data types and random internal syslog message bursts that could also be mitigated. Normally, these problems can exist for years going unnoticed until a major outage occurs. Axoflow Console can identify and track the root cause in minutes.