Cribl has followed its 2021 ‘breakout’ year with new funding and a significant expansion of its capabilities, reports James Goulding
A lot has happened at Cribl since Technology Reseller last reported on the observability pipeline company’s EMEA expansion plans.
In the last six months, following a record-breaking 2021, in which it tripled its customer base and for the second year in a row achieved a 300% increase in annual recurring revenue, Cribl has expanded its product offering, secured $150 million in Series D funding and introduced a skills training and certification programme for observability engineers.
A successful Series D funding round led by Tiger Global Management and joined by existing investors IVP, CRV, Redpoint Ventures, Sequoia and Greylock less than a year after Cribl’s Series C round brings the company’s total funding to date to $400 million, giving Cribl, in the words of Senior Director of Market Strategy Nick Heudecker, “quite a bit of runway in a very challenging macro environment”.
In particular, the funding will enable Cribl to accelerate its European (and global) expansion plans, which include hiring an EMEA sales team and establishing an EMEA headquarters (location TBC), while continuing to develop new products through its newly launched Cribl Zero2One (C021) perpetual innovation lab.
The first product to come out of CO21 is Cribl Search (see below), an open and vendor-agnostic analytics tool that is able to perform ‘search-in-place’ queries on any data, in any format, at any location, helping security and IT operations to keep up with the explosion of telemetry data and eliminate blind spots in data operations.
Cribl Search is a good example of Cribl’s strategy to launch products that complement its flagship observability pipeline, Cribl Stream (previously known as Cribl LogStream), and customers’ existing infrastructures.
Another is Cribl Edge. Launched in March, this universal data collector auto-discovers mission-critical telemetry data at the edge and in highly distributed data sources and sends it into Stream or any other destination. While it can be a replacement for an existing solution, it will also work with other agents used by an enterprise.
Heudecker said: “Cribl Edge is an optional component for sending data from the Edge into Stream or another destination. It allows you to begin collecting data immediately from your servers, Kubernetes clusters etc. and reduce the amount of data you send in, using the same functions you would in Stream, like removing duplicate fields, null values, whitespace etc.. Additionally, Edge allows you to teleport to any server that’s running that agent so that you can do remote debugging, you can troubleshoot any issues that may be occurring on that device.
“As we were rethinking what an agent should be, fleet management was one of the capabilities that we added. The average server runs 12 to 15 agents and each one of them must be manually configured and upgraded, even when you’re running hundreds of thousands of agents. We saw that as an opportunity to take the capabilities that we built in Stream and move many of them right out to the Edge to start to really help our users with a pain point that’s ignored by other vendors.”
He added: “Our core value proposition today is still very much Cribl Stream, but Edge makes a lot of sense if you’re in the middle of an upgrade cycle, because it consolidates several agents into one, removes the configuration burden, automatically looks for anything that looks like a log file and starts to catalogue data immediately. It just makes things a lot easier for end users, while offering other capabilities like being able to teleport to those machines.”
Cribl Search has the potential to be an even bigger deal for Cribl. Effectively a federated Search that customers can use on top of existing systems, it addresses a much broader spectrum of data flow and has the potential to usher in a new era of convergence between observability and security operations by enabling queries on any data, in any format, at any location — at the edge through Cribl Edge, in flight through Cribl Stream, in an organisation’s observability lake and even within existing systems.
“In today’s world, if you want to take advantage of the data you have, you typically have to move it to a centralised location like a data lake, a Splunk instance or something like that. You’re moving data before you know if it’s valuable and that can be challenging. If you’ve got 100,000 Windows machines it can be cost-prohibitive and, frankly, network prohibitive to bring in all of that data,” explained Heudecker.
“Cribl Search turns the traditional search story on its head. Instead of forwarding everything and then searching it, we search it first and then forward it. Search allows us to say ‘Alright, let’s go see if there’s anything interesting happening on those remote endpoints. And if there is, let’s bring just that data over’.
“We’re moving Search to the Edge. We are also building Search on Stream, so you’ll be able to search over any data that is passing through Cribl Stream and, lastly, you’ll be able to search data at rest. We have a feature called Replay that allows our users to write data off to an object store for low-cost storage. A lot of our customers take advantage of that capability, so why not enable them to search that data as well.”
He added: “I always think of a data lake as a question development environment. How do I find out the things I don’t know? Being able to search all this data in three different locations, in a unified way, helps you develop that question. And from there you can find the relevant data and then run it to a targeted analytics platform, like your SIEM, like your XDR platform. That’s the overall concept of Search: let me find what I’m interested in and then move it, versus moving everything at very high cost and then working on it.”
Search is due to be launched in the fourth quarter of this year and, according to Heudecker, it is already generating a great deal of excitement amongst Cribl’s customer base.
“The customers we’ve interviewed – very large companies in the entertainment space, banking and financial services, pharmaceuticals and so on – are excited about it because they have data everywhere and they want to do nuanced searches. For example, they might want to look for an IP address across lots of different locations. But doing that has a very high cost. The companies we’ve spoken with are very excited about what this could mean from a security perspective and an operational perspective.”
Zac Kilpatrick, Vice President, Global Channels at Cribl, believes that having a unified query language across three different environments – Edge, Search and Stream – will drive significant growth.
“We think we’re going to continue to have massive growth even through any economic downturn. A big part of what we do is provide cost saving measures for our customers and being able to reduce that data flow has measurable ROI for what we provide, and also reduces the overall cost for customers. That optimisation play for us is really key to our growth, and we think it’s going to help us accelerate through the downturn.”
So what sort of savings does Cribl typically deliver through its products? With the caveat that it depends on each customer case, Heudecker says it is not uncommon for customers to see savings of 30% on ingesting data and even more for certain data types.
“With Windows XML event logs, which produce huge data volumes with not a lot of value, we sometimes see reductions of 80% in data volume. In the case of event per second sources – some SIEM products are run on a per second model – many start events are useless; they tell you that something has started, but all the interesting data is in the end event. If you’re still collecting that start event, you’re paying for it. We can drop that or send it off to object storage for later retrieval, giving a 50% reduction in event per second. So 30% is the fairly conservative figure we quote, but it’s not uncommon to see much higher savings, depending on the data type.”
In addition to savings on infrastructure costs, Heudecker says reduced data volumes and better data quality can increase the speed of search and reduce man hours.
“One of our recent customers processed over a million events through Cribl Stream and because they had optimised that data on the way in, the searches on that data were 227 times faster. The underlying platform performs much better, and if you are in a work load based pricing model your workloads decrease substantially as well, because you’re working on better data. Getting data in (GDI) is another factor. Today, it can take a security team or an operations team months to pull that data in, refine it and then land it in the platform. We can do that in hours or days.
“Cribl Stream really acts as a force multiplier for security and operations teams. There’s less floor sweeping activity going on so they can focus on their actual jobs. Security people don’t want to be in IT; they want to be in security and do higher level work. We free them up to do that.”
Kilpatrick adds that for these reasons, Cribl solutions are highly valued by security teams. “They are the ones that are actively pursuing us. That’s who we sell to: it’s no secret that our top partners are primarily security-focused sellers,” he said.
In addition to its ongoing product development, Cribl is aiming to elevate the whole observability category through the establishment of a free technical certification program that will set the industry standard for observability skills, from planning and design to operating and optimising, while giving observability engineers a way to validate their expertise.
The Cribl Certified Observability Engineer (CCOE) programme, accessible through the Cribl University, is launching with two foundational courses: CCOE Stream User, which explains how to use Cribl Stream to create a multi-vendor observability architecture that gives organisations control over all observability and telemetry data; and CCOE Stream Administrator, which provides a deeper technical dive into reducing, enriching, routing and replaying telemetry data.