Case Study

  • Large Government Organization
  • 100,000+ Employees
  • 20TB/day Data volume
  • 1-10k Sources
Case Study - Axoflow

Imagine working in the dark every day and then one day someone walks in and turns on the lights… Axoflow turns on the lights.

Case Study - Axoflow
Case Study - Axoflow

Problem

Customer has cross-domain security data management responsibilities. Collection, transformation and transport to their cloud-based SIEM, storage and AI applications. Because the organization has multiple siloed contributors, it is incredibly hard to determine who is sending what data. On top of that, the data is similar among the contributors (such as firewall data). There was a constant stream of malformed messages, inaccurate source types and a range of performance issues that were a result of these inconsistencies in the data pipeline. This resulted in noise and inefficient security queries at their downstream consumers.

Troubleshooting issues as they arise is time-consuming and requires cross-silo cooperation. The size of the infrastructure and different scaling techniques like load balancing make debugging complex. Tracking down the origin of the event or detecting missing ones depends on the SIEM. For example, the event includes the host IP address but can not advise which entity it came from. The entire collection layer for syslog and Windows events was behind the curtains.

Case Study - Axoflow

Deployment

Axoflow initial deployment included Axolet agents alongside the syslog-ng servers operating both on-prem and in the cloud. Axolet pulls real-time analytics and metrics from the syslog-ng servers without disrupting the data flow or accessing the data itself. Axoflow Console dashboards and alerts simplify the data for the human eye. Operators can immediately oversee the overall performance, health and data flows of their security data pipeline pinpointing problems and root causes.

Tech stack

Axoflow products used

Google Pub/Sub

syslog-ng PE

Axolet

Axoflow Console

Tech stack

Google Pub/Sub

syslog-ng PE

Axoflow products used

Axolet

Axoflow Console

Case Study - Axoflow

Benefits

After installation of the Axolets on each of the syslog-ng instances, the customer could immediately view the data flows and have an understanding of all the elements of their security data pipe. Key metrics the customer chose to use:

 

  • Maintain an inventory of all current assets contributing data to the system.
  • Identify total data contribution to the SIEM by business unit and source.
  • Troubleshoot a specific log source from any individual business unit/source.
  • Enumerate all log sources that are not processed by syslog-ng and route to a fallback destination.
  • Enumerate all log sources and respective protocols/ports/topics during the process of enrolling a specific business unit.
  • Enumeration of a specific log type using different protocols (UDP/TCP) or ports.
  • Map source host and source IP when the source log is traversing NAT.
Case Study - Axoflow

Results

  • The resulting data quality improvements not only improved internal SLAs across teams but also reduced the total number of tickets.
  • MTTR was significantly reduced – to minutes from hours in troubleshooting daily issues with their data flows.
  • Identifying misparsed events became immediate instead of reporting back from the SIEM team.
  • The entire workflow of the SRE team changed from trying to figure out what was broken to concentrating every day on the data issues giving them their biggest problems.

Let’s get in touch!

Achieve High Quality, Reduced Security Data. Without Coding.