AWS re:Invent 2025 - How Sophos modernizes security data at scale with Cribl and AWS (MAM105)

Modernizing Security Data at Scale with Cribl and AWS

Challenges Faced by Sophos

• Exponential growth in telemetry data, with 60% year-over-year increases common
• Diversity of data sources across cloud, endpoints, and more
• Unsustainable costs and engineering efforts to manage legacy toolsets
• Inability of existing solutions to keep up with data volume and variety

Cribl's Approach and Solutions

1. Cribl Edge: Centralized agent management to simplify data collection from sources
2. Cribl Stream: Flexible data pipeline to collect, transform, route, and enrich data
3. Cribl Lake: Scalable object storage with built-in governance and access control
4. Cribl Search: Unified querying across all data sources

Key Outcomes for Sophos

• 48% cost savings within the first 30 days of using Cribl
• Achieved data independence and portability, avoiding vendor lock-in
• Implemented secure-by-design approach to data collection and processing
• Maintained cost-effectiveness while expanding data sources and use cases

Lessons Learned and Best Practices

1. Plan for the Long-Term: Adopt a phased, incremental approach to build a comprehensive data plane
2. Gain Visibility: Establish a centralized view of data sources, flows, and health
3. Filter and Optimize Early: Proactively manage data volume and cost by tiering and optimizing
4. Communicate and Collaborate: Work closely with users to update content and manage change
5. Leverage Data Tiering: Match data cost and value, moving unused data out of expensive storage
6. Embrace a Phased Migration: Gradually transition to new platforms while maintaining existing workflows

Technical Demonstration

• Cribl's intuitive user interface for configuring data pipelines and routes
• Enrichment of firewall logs with additional context and playbook links
• Structured parsing of complex data formats like netstat output
• Leveraging Cribl's AI-powered features for guided configuration and optimization

Business Impact and Real-World Applications

• Enabled Sophos to rapidly expand data sources and use cases while controlling costs
• Provided data independence and portability, avoiding vendor lock-in
• Accelerated SIM migration by allowing parallel data flows to new and legacy platforms
• Empowered Sophos to better serve the needs of security, IT, and business stakeholders

Conclusion

Cribl's comprehensive data platform helped Sophos modernize their security data management, driving significant cost savings, improved data quality, and enhanced operational efficiency. The lessons learned and best practices shared provide a roadmap for other organizations looking to transform their data and security operations.