Cost Benefits

SOAR and Cribl

SOAR Benefit

“With the removal of human L1 as a result of automation the business has made a significant saving on the renewed MSSP contract. We have saved £1.3M over 3 years.”

RiverSafe SoC platforms

When RiverSafe initially built a SoC platform for Customer X, the L1 & L2 was outsourced. The contract value agreed was £5m for 3 years.

Automation of Level 1 activities & Level 2 tasks

Since then, RiverSafe have undertaken extensive automation of Level 1 activities and Level 2 tasks. As a result, MTTR was reduced by 40%.

Enriched Data

Furthermore, we have enriched the data for events going to L2 to further improve the quality & validity of the alerts.

Contract Renewal

The contract renewal was negotiated last year. The new contact value is now £3.7m for 3 years. Savings of £1.3m.

Dedicated Security Automation Engineers

In order to achieve the cost savings, Customer X incurred cost associated with having 2 dedicated Security Automation Engineers to help with developing and maintaining the playbooks.

Reduced Alert Fatigue

Customer X is now able to de-duplicate via SOAR and remove false positives. Their alert fatigue has significantly reduced by about 60-70%.

Cribl Benefit

RiverSafe’s implementation of Cribl at Customer X is helping produce hi-fidelity data.”

Intelligent Data Routing & Data Hygiene

  • Smart routing of data from a single position for fast growing number of different source types (11 currently).​
  • Data lake storage requirements reduction by as much as 30% on average**.​
  • Cribl is now feeding the Customer X SOC SIEM and UEBA platforms as well as the data lake (for beyond security specific analytics), eliminating the need for multiple configurations on data sources to these destinations.​
  • Total Current Cost= $1,202,500 per year  (Splunk License+Compute+Storage)​
  • We anticipate approximately 30% reduction on this cost**
    Key Data SourcesTypical Reduction
    Microsoft Active Directory70%
    This is a breakdown of the top 4 sources that are now routed via Cribl