BrainBlog for Crogl by Jason Bloomberg
What is the traditional approach to extracting insights from multiple diverse data feeds? For example, the telemetry from the plethora of security tools churning away in a typical enterprise IT environment?
All the data formats are different, so the engineering team has to build transformations for each feed, implementing ETL to normalize and move the data. To do this, they must put all the feeds into the same schema so that the security operations (SecOps) team can make sense of the information and proceed with their investigations.
Such normalization of telemetry data has always been expensive, time-consuming, resource-intensive, and also inflexible, as it required expensive re-engineering whenever something changed, say a new or updated tool was added to the mix.
Not anymore. Crogl’s patented approach to its knowledge engine removes the need for ETL altogether. No more schema normalization. No more moving and storing data.
And the result? SecOps teams enjoy sufficient context to support AI-driven automation of security investigations and even mitigations.
Crogl’s secret sauce
In the first article in this series, I wrote about Crogl’s knowledge engine and how it plays a central role in providing context to diverse security data.
In his follow-up article, my colleague Eric Newcomer explained how this knowledge engine supports autonomous investigations by automatically mapping data schemas so SecOps pros don’t have to transform or standardize them across multiple tools.
Crogl’s patented secret sauce is how this knowledge engine provides a unified semantic layer across diverse data sets, including real-time telemetry as well as data in data lakes.
Instead of the laborious ETL approach, this semantic layer leaves the source data sets where they are, resolving schema differences on the fly without the need for moving the data or normalizing the schemas.
Rather than treating the interpretation of the data as a normalization problem, Crogl treats it as a knowledge problem that adapts to the customer environment on an ongoing basis.
Because the knowledge engine maintains the context of the data, SecOps teams have enough information to automate their investigations, relying upon the Crogl technology to support AI-driven autonomous behavior.
But wait! There’s more!
An added benefit of Crogl’s knowledge engine is that it can run anywhere – in the cloud as a SaaS offering to be sure, but also on-premises or even in air-gapped environments.
As long as it has access to the source telemetry, it can work its magic – under the organization’s oversight and control.
For any enterprise concerned about protecting its security infrastructure from its own risk of compromise (and who isn’t concerned these days?), this ability to run on-premises is a must-have.
Crogl’s knowledge engine approach has additional benefits: SecOps teams no longer have to spend time on data cleaning or data normalization, as Crogl takes care of those tasks automatically.
They also no longer need to worry about brittle playbooks and automation. Real-world situations never seem to match up to the playbooks, requiring constant tweaks and workarounds and preventing effective automation. Crogl addresses these issues as well.
The Intellyx take
No ETL, no schema normalization, no data movement, and no playbooks – Crogl does a great job of removing costly roadblocks from the day-to-day work of SecOps.
What is missing from this story? Response plans. In the absence of playbooks, SecOps pros must still know how to respond to incidents and indications of compromise.
Eric will discuss how Crogl automatically generates response plans in the conclusion of this article series. Stay tuned!
Copyright © Intellyx BV. Crogl is an Intellyx customer. Intellyx retains final editorial control of this article. No AI was used to write this article. Image credit: Craiyon.
