Building a Modern Security Stack Workshop Recap
See how Garland, Corelight and Humio observability tools work together in real time
May 4th, 2020
In our April 30th Building a Modern Observability Stack workshop, experts from Garland Technology, Corelight, and Humio showed how their products work together to provide actionable real-time access to information. By completing the observability picture with packet information and network traffic, this solution improves response time, enabling SecOps and DevOps teams to find root causes of problems in seconds.Watch the Workshop
The workshop featured presenters including:
Neil Wilkins, Technical Manager at Garland
Edward Smith, Senior Product Marketing Manager at Corelight
Ronnie Ganwani, Technical Marketing Engineer at Corelight
Richard Patrick, Solution Engineer at Humio
Building a modern stack
If you can see the packet, you can see everything.
Technical Manager, Garland
Neil Wilkins provided an overview of Garland Technologies network taps, explaining how Garland’s physical and virtual taps can discreetly collect information from a self-hosted, cloud, or hybrid network. In Kubernetes, they exist as a microservice that sits on a node collecting data. Optimized for speed, Garland’s taps take half the typical time – only 120 microseconds to get TLS keys. These taps capture network data at its most basic form — the packet — and passes the information to Corelight for analysis.
Edward Smith then introduced Corelight, showing how it developed as a means to scale up and manage the security information generating services of the open-source tool Zeek (Bro), a long-trusted security tool in the defense industry.
He explained how Zeek functions within Corelight, collecting data from SMTP, DNS, HTTP, and conn log sources, synchronizes them with microsecond accuracy, and compresses them so it generates a data stream that is typically less than 1% of all inbound traffic.
The reason all this is great is that this can enable faster incident resolution, up to 20x faster.
Senior Product Marketing Manager, Corelight
Richard Patrick then explained how Humio maximizes the efficiencies generated by Corelight and Garland in an index-free live data-streaming platform. By cutting out indexes, Humio separates itself from traditional log management and becomes more of a live observability tool that immediately pushes ingested data to digest in a few hundred milliseconds. This results in live sharable dashboards that provide a real-time view of everything that is happening in the system.
Where Humio becomes different – because we’re a live streaming platform, I can see not just if something happened in the past, but also if it’s currently still happening on the network.
Solution Architect, Humio
Humio also builds on Corelight by further compressing data by 10-20x, allowing users to store hot data for longer with no added inflation from indexes.
Demo of the modern stack
We go through a demo of the Garland-Corelight-Humio integration. Neil shows how to install a Garland virtual sensor in seconds by copy and pasting code. Ronnie Ganwani guides us through several ways of customizing data in Corelight, including how to gain insights from encrypted SSH traffic.
Richard gave an in-depth look at Humio’s dashboards, showing how they make enterprise levels of complex network data from Corelight easy to access. He showed how easy it is to turn a search into an always-live widget on a dashboard in a few clicks, and how easy it is to drill down and find logs that are linked to root-causes of incidents.
Looking beyond dashboards, Richard showed Humio as a hunting tool. He showed how free-text search allows users to search live results or historical searches with sub-second latency, tracking down answers to novel questions in seconds. He demonstrated how to make the most of alerts by customizing them to provide a range of notifiers, and showed how Humio’s unique live streaming data allows users to go from an alert occurring to see if the relevant event is still happening.
Ronnie wrapped up by showing a few key Corelight dashboards. On the Corelight DNS dashboard, he pointed out the main categories that reveal malicious traffic. On the Corelight HTTP dashboard, he pointed out how users can see at a glance if ‘Not Found’ status codes reveal a problem in the network. He then drills down using a UID and immediately follows the connections to IP addresses.
Watch the workshop on-demand right now and see what sub-second data flow in a modern observability stack looks like.