Since nearly all cyber attacks must cross the network, extracting security-relevant data from network traffic is essential across a wide range of security operations including incident response, threat hunting, and threat detection. Finding a way to reliably and cost-effectively capture all traffic and transform it into usable security data, however, can be challenging, especially in environments with limited data center space and high throughput traffic.
Garland Technology and Corelight have partnered to offer an integrated solution to this problem via Garland Technology’s compact, high performance network TAPs and aggregators that can deliver a complete copy of network traffic to out-of-band Corelight Sensors, which transform the captured traffic into comprehensive network logs, extracted files, and custom security insights via the power of the open-source Zeek Network Security Monitor (formerly known as “Bro”).
Both companies draw on deep, historical domain expertise to deliver best-in-class technologies: Garland Technology was founded by the inventor of the first Bypass TAP and Corelight was founded by the inventor and key developers of open-source Zeek.
Many security teams today have limited to no security visibility into their DNS traffic at the perimeter, leaving them blind to attackers who hide in DNS traffic and use it to establish malicious C2 server communications, deploy malware, and exfiltrate sensitive data. For lean security teams, Garland Technology’s Copper TAP and Corelight’s AP 200 Sensor provide a fast, affordable way to capture DNS traffic and get quick, comprehensive
insights into potentially malicious DNS activity.
Garland Technology’s Copper TAP provides complete network visibility by passing and capturing all live wire data to active, inline security devices. Corelight’s AP 200 Sensor then transforms the captured traffic into protocol comprehensive logs, including rich DNS logs that provide critical security context missing from typical DNS server records, such as the content of the response. Corelight can also fork and filter the logs so you can send a complete copy of the logs to a SIEM for incident response, while sending a separate, DNS-only stream to a security analytics tool like the Real Intelligence Threat Analytics (RITA) to detect threats
like DNS tunneling and send those alerts on to your SIEM.
The scalable design of multi-network environments with satellite locations allows for easy deployment and management of remote sensors along with other monitoring and inline devices. At the primary location, Garland’s SelectTAPTM: Fiber Modular Chassis is tapping multiple links, sending traffic through the PacketMAXTM: Advanced Aggregator for aggregation and the PacketMAXTM: Advanced Features box for deduplication.
The remote location of Garland’s Edgelens® sends traffic back to the primary’s Advanced Aggregator using GRE tunnels to load the traffic to the two Corelight AP 3000 devices.
Garland Technology provides traffic capture in the cloud, so corporate traffic in private and publc cloud environments including AWS, Google Cloud Platform, and Azure can be captured via the Garland Prism. The cloud traffic is transmitted to Garland, and then streamed to a Corelight Sensor to be transformed into logs, extracted files, and security insights.
Corelight offers a suite of network traffic analysis sensors that use a specialized version of the open-source
Zeek Network Security Monitor to ingest network traffic and transform it into rich network logs, extracted files,
and security insights. Corelight Sensors are available in both physical (1U) and virtual form factors (VMware and
Hyper-V), sized to support a range of network throughput speeds at 2 Gbps, 10 Gbps, and 25 Gbps.
Corelight Joint Solution Briefs:
-Complete Network Traffic Analysis
and Visibility at Scale