As an instant response firm, the Cyber Defense Group focuses on two critical aspects of cyber security, the proactive side, which they call a virtual CISO, and the reactive side, which is the instant response to some sort of cyber attack.
The team over at the Cyber Defense Group (CDG) came to Garland Technology because they were looking for an affordable way to improve the visibility into their clients’ networks. Visibility is a critical component of their business, proactively to know what’s going on in the network, which can be difficult with the existing infrastructure; and reactively, when visibility is a must, because a client is under attack, and time is of the essence.
Visibility is critical when you're under attack
With a complicated network full of legacy equipment, an onsite IT team unaware of the problems, and an underperforming MSSP, CDG had a challenge when they were called into an instant response case with a large, healthcare organization. It quickly became apparent that visibility was needed to monitor the traffic and understand where the attackers were coming from, and what network traffic they were accessing. The switches the client originally had weren’t configured/updated correctly, so the only option was to turn to TAPs.
“We’re under attack and every minute that we don’t have visibility, is another minute that bad guys are exfiltrating sensitive data.” -Lou Rabon, Founder/CEO, Cyber Defense Group
A search for TAPs on the internet turned up Garland Technology as an alternative to the huge providers like Gigamon, who can be expensive and don’t provide a custom solution, and buying a cheap TAP off of Amazon wasn’t an option. CDG chose Garland Technology as their TAP vendor of choice due to the fact that right from the start, there was personalized support from the sales and design team to find the right solution for their needs.
Designing the Solution
By utilizing two Breakout TAPs and one Bypass TAP, in aggregation mode to feed the packet capture, intrusion detection, enterprise security monitoring and log management tools. Despite having only one network link ingressing into port A, the bypass TAP will still egress the traffic out of port B and create a copy of Port A to egress out of Port C.
Using the Breakout TAP on each end of the connections to feed Port C from both TAPs into the Bypass TAP (Set in Aggregation Mode). The Bypass TAP takes the breakout inputs and egress them together out a single port to the monitoring appliance. Since each network link is at most 500Mpbs, there is no risk of oversubscribing the 1G monitor port on the Bypass TAP. Cyber Defense Group was able to get the visibility they needed to find the source of the breach, and kick the hackers out.
[Want to learn more about how this solution solved a critical challenge for CDG? Read our latest use case on the topic.]