Live Workshop icon

June 24: Higher Education Roundtable

Building a Modern Security Stack Workshop Recap

See how Garland, Corelight and Humio observability tools work together in real time

May 4th, 2020

In our April 30th Building a Modern Observability Stack workshop, experts from Garland Technology, Corelight, and Humio showed how their products work together to provide actionable real-time access to information. By completing the observability picture with packet information and network traffic, this solution improves response time, enabling SecOps and DevOps teams to find root causes of problems in seconds.

Watch the Workshop


The workshop featured presenters including:

  • Neil Wilkins, Technical Manager at Garland

  • Edward Smith, Senior Product Marketing Manager at Corelight

  • Ronnie Ganwani, Technical Marketing Engineer at Corelight

  • Richard Patrick, Solution Engineer at Humio

Building a modern stack

If you can see the packet, you can see everything.
Neil Wilkins

Technical Manager, Garland

Neil Wilkins provided an overview of Garland Technologies network taps, explaining how Garland’s physical and virtual taps can discreetly collect information from a self-hosted, cloud, or hybrid network. In Kubernetes, they exist as a microservice that sits on a node collecting data. Optimized for speed, Garland’s taps take half the typical time – only 120 microseconds to get TLS keys. These taps capture network data at its most basic form — the packet — and passes the information to Corelight for analysis.


Edward Smith then introduced Corelight, showing how it developed as a means to scale up and manage the security information generating services of the open-source tool Zeek (Bro), a long-trusted security tool in the defense industry.

He explained how Zeek functions within Corelight, collecting data from SMTP, DNS, HTTP, and conn log sources, synchronizes them with microsecond accuracy, and compresses them so it generates a data stream that is typically less than 1% of all inbound traffic.

The reason all this is great is that this can enable faster incident resolution, up to 20x faster.
Edward Smith

Senior Product Marketing Manager, Corelight

Richard Patrick then explained how Humio maximizes the efficiencies generated by Corelight and Garland in an index-free live data-streaming platform. By cutting out indexes, Humio separates itself from traditional log management and becomes more of a live observability tool that immediately pushes ingested data to digest in a few hundred milliseconds. This results in live sharable dashboards that provide a real-time view of everything that is happening in the system.

Where Humio becomes different – because we’re a live streaming platform, I can see not just if something happened in the past, but also if it’s currently still happening on the network.
Richard Patrick

Solution Architect, Humio

Humio also builds on Corelight by further compressing data by 10-20x, allowing users to store hot data for longer with no added inflation from indexes.

Demo of the modern stack

We go through a demo of the Garland-Corelight-Humio integration. Neil shows how to install a Garland virtual sensor in seconds by copy and pasting code. Ronnie Ganwani guides us through several ways of customizing data in Corelight, including how to gain insights from encrypted SSH traffic.

Richard gave an in-depth look at Humio’s dashboards, showing how they make enterprise levels of complex network data from Corelight easy to access. He showed how easy it is to turn a search into an always-live widget on a dashboard in a few clicks, and how easy it is to drill down and find logs that are linked to root-causes of incidents.

Looking beyond dashboards, Richard showed Humio as a hunting tool. He showed how free-text search allows users to search live results or historical searches with sub-second latency, tracking down answers to novel questions in seconds. He demonstrated how to make the most of alerts by customizing them to provide a range of notifiers, and showed how Humio’s unique live streaming data allows users to go from an alert occurring to see if the relevant event is still happening.

Ronnie wrapped up by showing a few key Corelight dashboards. On the Corelight DNS dashboard, he pointed out the main categories that reveal malicious traffic. On the Corelight HTTP dashboard, he pointed out how users can see at a glance if ‘Not Found’ status codes reveal a problem in the network. He then drills down using a UID and immediately follows the connections to IP addresses.

Watch the workshop on-demand right now and see what sub-second data flow in a modern observability stack looks like.

Start your free trial now, available Self-hosted and SaaS, or request a demo.