Don’t Do It: Rolling Your Own Production Zeek Deployment
In a previous blog, we wrote about the benefits that come with Zeek-formatted metadata. This blog builds on that thread by discussing why our customers come to us as an enterprise solution to support their Zeek deployments.
The reason is best told through the experience of one of our government customers, which initially chose to deploy and maintain their own Zeek/Bro deployment. At the time, the rationale was reasonable: Use in-house resources for a one-time, small-scale deployment, and incrementally maintain it with the rest of the infrastructure while providing significant value to their security team.
However, over time, it became increasingly untenable:
This no-win tradeoff drives many of our customers to ask us how their security teams can better spend their time. Manually administering tools (a.k.a. barely keeping afloat) in a self-managing fashion or being security experts and threat hunters? Consider the following comparison between a self-managed scenario and a Vectra deployment.
In addition to the deployment challenges shared by this customer, day-to-day operational requirements like system monitoring, system logging and even front-end authentication pose a heavy burden. Most make the choice to find a partner that can simplify the complexity of such a deployment: Accelerate time to deployment, enable automatic updates that eliminate the need to regularly patch and maintain, and perform continuous system monitoring.
These are default capabilities that free you to focus on the original charter of your security team. Think about your data capture and analysis architecture and deployment. We invite you to reach out to a Vectra representative for a consultative discussion about your deployment or to the authors of this Gartner research for more context about these issues.