🤫 Free report PDF (no signup): Security Data Pipelines as the SOC control plane. >>>

Case Study - Migrating to Google SecOps

  • Government Organization
  • 20,000-25,000 Employees
  • Volume: 50-90k EPS peak, 1-5 TB/day
40%
Data volume reduction
85%
Infrastructure requirements reduced by
Axoflow significantly reduced our infrastructure footprint and operational complexity. It allowed us to migrate to a new SIEM seamlessly while handling 5× more data than before.

Problem

The organization was facing both infrastructural and data challenges. Their data collecting infrastructure had performance issues, even though it wasn’t collecting data from every available data producer, and also experienced data ingestion issues and hard-to-detect message drops. These issues caused blind spots and also highlighted the lack of visibility into their security detection layer.

Data-wise the YoY growth of the generated data (and as a result, the SIEM costs) was concerning, and part of the collected data was not even security-relevant. Their security team decided that the way forward was to:

  • reduce infrastructure and SIEM costs using better filtering and removing data redundancy,
  • upgrade to a performant and reliable security data pipeline that provides visibility into the pipeline and the data producers, and
  • migrate to a new SIEM (Google SecOps)

Deployment

After careful assessment and on-site performance tests (as the organization had bad experiences with prior Windows log collection solution), it took only half an hour to deploy the components of the Axoflow Platform, and a few days to onboard every data source, including:

  • AxoRouter nodes to receive syslog, and Windows Event logs (WEC), then classify, normalize, and reduce data
  • AxoConsole (SaaS) to configure, monitor, and oversee the pipeline

Tech stack

Google SecOps
Palo Alto Networks Firewall
F5
Windows Event Logs
Linux System Logs

Axoflow products used

Axoflow Console
AxoRouter

Benefits

  • Reduced the infrastructure requirements by 85%
  • Reliable log collection on Windows, handling peaks of 30-40k eps
  • Reliable log collection on syslog, handling peaks over 90k eps on a single node
  • End-to-end observability of data collection and ingestion
  • Monitoring and eliminating UDP traffic drops
  • Automatic classification of incoming data and adding metadata for Google SecOps

Results

The team has achieved its goals of within days of deploying Axoflow Platform:

  • stabilizing their data collection infrastructure,
  • onboarding the so far missing data sources,
  • detecting and fixing misconfigured sources that were sending malformed data,
  • reducing the amount of data (effective filtering of Windows Events, reducing Palo Alto firewall logs), 
  • normalizing the ingested messages, and 
  • seamlessly switching to their new SIEM of choice.

Using the AxoConsole, they also gained immediate visibility into the status of their pipeline, with the ability to deep-dive into the metrics about the endpoints, the pipeline elements, as well as the data processed and transferred.

Let’s get in touch!

Achieve Actionable, Reduced Security Data. Without Pipeline Babysitting.

Request a demo