Summary:
Timothy De Block and Ed Bailey, a former customer and current Field CISO at Cribl, discuss how the company is tackling the twin problems of data complexity and AI integration. Ed explains that Cribl's core mission—derived from the French word "cribé" (to screen or sift)—is to provide data flexibility and cost management by routing the most valuable data to expensive tools like SIEMs and everything else to cheap object storage. The conversation covers the 40x productivity gains from their "human in the loop AI", Cribl Co-Pilot, and their expansion into "agentic AI" to fight back against sophisticated threats.
Cribl's Core Value Proposition
Data Flexibility & Cost Management: Cribl's primary value is giving customers the flexibility to route data from "anywhere to anywhere". This allows organizations to manage costs by classifying data:
Valuable Data: Sent to high-value, high-cost platforms like SIMs (Splunk, Elastic).
Retention Data: Sent to inexpensive object storage (3 to 5 cents per gig).
Matching Cost and Value: This approach ensures the most valuable data gets the premium analysis while retaining all data necessary for compliance, addressing the CISO's fear of missing a critical event.
SIEM Migration and Onboarding: Cribl mitigates the risk of disruption during SIM migration—a major concern for CISOs—by acting as an abstraction layer. This can dramatically accelerate migration time; one large insurance company was able to migrate to a next-gen SIEM in five months, a process their CISO projected would have taken two years otherwise.
Customer Success Story (UBA): Ed shared a story where his team used Cribl Stream to quickly integrate an expensive User and Entity Behavior Analytics (UBA) tool with their SIEM in two hours for a proof-of-concept. This saved 9-10 months and the deployment of 100,000 agents, providing 100% value from the UBA tool in just two weeks.
AI Strategy and Productivity Gains
"Human in the Loop AI": Cribl's initial AI focus is on Co-Pilot, which helps people use the tools better. This approach prioritizes accuracy and addresses the fact that enterprise tooling is often difficult to use.
40x Productivity Boost: Co-Pilot Editor automates the process of mapping data into complex, esoteric data schemas (for tools like Splunk and Elastic). This reduced the time to create a schema for a custom data type from approximately a week to about one hour, representing a massive gain in workflow productivity.
Roadmap Shift to Agentic AI: Following CriblCon, the roadmap is shifting toward "agentic AI" that operates in the background, focused on building trust through carefully controlled and validated value.
AI in Search: The Cribl Search product has built-in AI that suggests better ways for users to write searches and utilize features, addressing the fact that many organizations fail to get full value from their searching tools because users don't know how to use them efficiently.
Challenges and Business Model
Data Classification Pain Point: The biggest challenge during deployment is that many users "have never really looked at their data". This leads to time spent classifying data and defining the "why" (what is the end goal) before working on the "how".
Vendor Pushback and MSSP Engagement: Splunk previously sued Cribl over cost management, though resulting damages were only one dollar, demonstrating that some vendors initially get upset. However, Cribl is highly engaged with MSSP/MDR providers because its flexibility dramatically lowers their integration costs and time, allowing them to get paid faster and offer a wider suite of services.
Pricing Models: Cribl offers two main models:
Self-Managed (Stream & Edge): Uses a topline license (based on capacity/terabytes purchased).
Cloud (Lake & Search): Uses a consumption model (based on credits/what is actually used).
Empowering the Customer: Cribl's mission is to empower customers by opening choices and enabling their goals, contrasting with other vendors where it's "easy to get in, the data never gets out".
Support the Podcast:
Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.
Contact Information:
Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.
Check out our services page and reach out if you see any services that fit your needs.