Healthcare Provider Cuts Security Telemetry Costs by 77% in Two Weeks

Problem

A major healthcare provider discovered it was on track to spend $2.6M in cloud security (Google SecOps) ingestion overages by the end of the year. The overspend threatened to derail the security budget at a time when resources were already under pressure.

Their problem was both data volume and the lack of control of what was actually being ingested. Data volumes continued to grow rapidly, while the requirements of their security and observability teams evolved just as quickly.

This organization needed a way to reduce ingestion without compromising data integrity, ensuring that critical insights were preserved while unnecessary noise was eliminated.

After moving away from Splunk, the healthcare provider continued to use Splunk heavy forwarders to route telemetry. While technically functional, this setup required regex expertise and complex configuration management that the team did not have.

The result was raw data from 26 sources, including Windows event logs, firewall data, identity logs, endpoint telemetry, and network syslog, flowing straight into their security platform, Google SecOps, and driving costs through the roof.

Challenge

Several challenges made the problem difficult to solve:

• Knowledge gaps — Infrastructure teams managed filtering, but did not consume the data, creating delays in coordinating with security teams.
• Technical complexity — Regex-heavy filtering was impractical and error-prone.
• Scale and diversity — 26 data sources, each with unique filtering requirements.
• Time pressure — Budget deadlines demanded fast action.
• Risk sensitivity — Security monitoring could not afford downtime.

Requirements

The healthcare provider defined strict requirements for any solution:

• Rapid deployment — results in days, not months.
• Seamless integration with existing Splunk forwarders.
• Broad source support across on-prem and cloud feeds.
• Ease of use without regex or specialized expertise.
• Zero downtime during implementation.
• Real-time dashboards to track cost impacts.
• Guided expertise while keeping implementation in-house.

Solution

The provider selected Bindplane for its telemetry pipeline.

Week One: Fast Migration

After a short evaluation, the team migrated nearly all sources into Bindplane in just three days with no downtime. By installing Bindplane Collectors alongside Splunk forwarders, they kept existing infrastructure intact while gaining advanced filtering and processing capabilities.

Week Two: Optimization

With Bindplane’s guidance, the team implemented:

• Filtering for high-volume Windows event logs
• Firewall log reductions
• Optimizations for identity and endpoint telemetry
• A roadmap for remaining cloud-based feeds

Results

Within the first month, projected overages dropped from $2.6M to $600K. This was a 77% cost reduction, amounting to $2M in annual savings.

Dashboards provided immediate visibility into savings, and the internal team handled most of the rollout independently, showing how intuitive Bindplane is compared to regex-heavy tools.

Key success factors:

• Leadership commitment to rapid action
• User-friendly filtering and management
• Zero downtime during deployment

Future

The healthcare provider is now:

• Migrating remaining cloud feeds through Bindplane
• Automating filtering policies and exploring HA features
• Reallocating millions in savings to new security initiatives
• Sharing its experience with other healthcare organizations
• Using dashboards to proactively manage future costs

A success story to be proud of ❤️

In just two weeks, this healthcare provider turned a $2.6M budget crisis into $2M in savings. With Bindplane, they achieved both immediate cost control and a scalable foundation for long-term observability success.