Overview
A leading global investment bank needed to scale security investigations without increasing observability costs. By deploying Imply Lumi as a shared observability data layer beneath Splunk, the bank dramatically expanded security data retention, improved investigation performance, and reduced costs—while preserving existing tools and workflows.
Challenge
The bank was generating approximately five terabytes of security telemetry per day—far more than it could afford to index long term in Splunk. While this data was essential for investigations, threat hunting, and incident reviews, rising ingest and indexing costs forced the organization to reduce indexed volume and push data into cold storage.
This created a persistent tradeoff between cost and visibility. During investigations, security teams often lacked fast access to historical data, slowing response and increasing risk. At the same time, finance leaders began evaluating a full SIEM migration driven primarily by cost pressure rather than technical fit.
Solution
The bank was generating approximately five terabytes of security telemetry per day—far more than it could afford to index long term in Splunk. While this data was essential for investigations, threat hunting, and incident reviews, rising ingest and indexing costs forced the organization to reduce indexed volume and push data into cold storage.
This created a persistent tradeoff between cost and visibility. During investigations, security teams often lacked fast access to historical data, slowing response times and increasing risk. At the same time, finance leaders began evaluating a full SIEM migration driven primarily by cost pressure rather than technical fit.
Results
- Over 70% reduction in overall Splunk-related observability costs
- Five terabytes per day of additional security data retained and queryable
- Faster, more responsive investigations across historical data
- Zero disruption to existing security workflows
- No SIEM migration required
Why it Matters
Imply Lumi allowed the bank to decouple security data economics from frontline tools. Instead of forcing a disruptive SIEM migration, the organization introduced a modern observability data layer that scaled independently of Splunk licensing constraints.
The bank gained a sustainable way to retain and investigate far more security data without increasing costs or disrupting existing tools—turning a finance-driven migration discussion into a long-term optimization strategy powered by Imply Lumi.