Garland Technology ensures complete network visibility by delivering a full platform of network test access point (TAPs) and packet broker products.
Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.
Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.
The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners
Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.
Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.
When cyber-attacks cross the network, grabbing quality and relevant data from network traffic is essential for security operations. This is especially pertinent in cloud environments where security teams have limited or no traffic visibility, leaving them blind to malicious attacks. Without pervasive visibility into and deep insights from network traffic, threat hunting and incident response teams cannot be effective. Garland Technology recently spoke to Vijit Nair, Senior Director of Product at Corelight, to discuss the importance of threat hunting and how, with the right tools and direction, it’s more accessible than you might think.
Incident response is the process by which organizations respond to an intrusion. Security teams must have clear plans and well defined playbooks that help them move rapidly to respond to an incident and limit the damage. For this, they must be armed with high fidelity data that allows them to triage alerts, dismiss false positives, escalate actual incidents and deep dive into an investigation.
Threat hunting is a hypothesis-driven activity, searching for threats that have gone undetected and are currently hiding in the network. Threat hunting typically starts with a hypothesis of potential issues in your network and then you dive into the data to look for something interesting. Incident response comes into play when an intrusion detection system detects an issue and generates an alert and is a reactive approach, whereas threat hunting is proactive. Threat hunting may trigger an incident response if something malicious is detected. Here is a Corelight's Threat Hunting Guide organized around the MITRE ATT&CK framework.
In a cloud environment, the shared responsibility model limits visibility, while distributed cloud services and hybrid environments expand the attack surface. Automation and scale amplifies misconfiguration turning it into the single biggest threat to cloud security. Privileged Identity and Access Management (IAM) account for 70-80% of all data breaches. Enterprises migrating workloads into the cloud are responsible for security of the applications, but don’t have the kind of visibility needed to secure them.
Threat hunting in the cloud environment requires comprehensive visibility, which is challenging in an IaaS (Infrastructure as a Service) environment. Security Op teams need to ensure that logging is configured (and stays configured) on every service, ingest log types from every service into their SIEM, navigate poorly designed schemas, and correlate across logs from different cloud environments.
Security teams must use network monitoring to complement application level visibility. With a bird’s-eye view of the cloud environment, organizations can shine the light on high value assets, privilege boundaries between multi-cloud environments, and other choke points. Network monitoring provides a judgement-free view of the environment and is cloud provider, application and services agnostic. Open source tools such as Zeek have long been established as the de facto standard for continuous network security monitoring with a schema that is purpose built for SOC teams. The extensibility of Zeek and its community-developed content allows you to easily enrich data with context and correlations.
A lack of application level visibility and comprehensive logging is why organizations look to network monitoring for a normalized view of their environment. Packets don’t lie and IT and security professionals need this level of visibility and access for their connected applications to detect security anomalies and analyze network performance. This visibility has been notably absent in Azure, leaving IT teams to examine small packet captures for individual hosts using outdated tools such as tcpdump and Microsoft Network Monitor, instead of a native solution.
One major challenge that exists with the cloud is delivering packet-level data to tools. With data crossing public internet circuits, there is likely to be some degree of packet loss. Corelight requires visibility into all the traffic data traveling throughout the environment. That’s why we work with Garland, in this instance with Garland Prisms, to help drive accurate advanced packet data that Corelight sensors need to detect and respond to malicious data.
A great place to start is the recently released MITRE ATT&CK Cloud Matrix for enterprises. This matrix covers the cloud-based TTPs that adversaries employ. Additionally, Corelight has put together a tool that identifies TTPs in the ATT&CK matrix where Corelight data can be used to discover and thwart attackers.
Yes! We recently updated the capabilities of the Corelight Cloud Sensors based on changes in encryption data in the cloud. Encrypted traffic continues to rise. Defenders need to be equipped with threat hunting tools to separate legitimate behavior from malicious activity when decryption is not an option. The expansion is called Corelight Encrypted Traffic Collection (ETC), which expands defenders’ incident response and threat hunting capabilities in encrypted environments.. Corelight ETC is awesome because it contains numerous packages developed by Corelight’s Research Team, such as the ability to infer keystrokes over SSH connections, as well as curated packages from the open-source Zeek community. We were excited to roll this out earlier this year.
Cloud adoption will continue unabated as enterprises accelerate their migration. Cloud services will become a lot more ubiquitous and distributed with adoption of microservices and serverless architectures. We expect cloud security challenges to grow at the same pace. Organizations will be forced to shift from a compliance / prevention centric mindset to establishing mature SOC teams capable of threat hunting & incident response to take on the emerging threats in cloud security.
Vijit Nair is a Sr Director of Products for the Cloud Portfolio at Corelight where he focuses on building products that extend Corelight’s NSM visibility into public and private cloud environments. Previously as Director of Product - Cloud Segment at Juniper Networks, he managed their portfolio spanning Data Center Switching, Cloud Networking & Security. Prior to that, as an engineer, he built and shipped some of the fastest routers in the world and holds several patents in networking. He has a Masters from Penn State and a MBA from UC Berkeley Haas.