Corelight moves towards
open NDR platform
“Our integration of Zeek with Suricata is
the natural progression towards a truly
open NDR platform for customers.
“We are excited to support and
participate in the vibrant Suricata
community going forward, in addition
to our historical community of Zeek
developers and users,” added Dye.
orelight, a provider of some
C of the most powerful network
traffic analysis (NTA) solutions
for cybersecurity, has announced its first
major steps towards offering an open
network detection and response (NDR)
platform that will bring a proven opensource
design pattern into one unified
product for customers.
Corelight has integrated two powerful
open-source projects, Zeek and
Suricata, into a seamless solution that
enables rapid pivoting from Suricata
alerts into the rich network metadata
extracted by Zeek. Suricata is an opensource
network threat detection engine
already supported by a wide variety of
ruleset providers.
The integration will first be available
as an additional licence on Corelight’s
highest capacity sensor, the AP 3000.
“The power of deep integration between
Zeek and Suricata is significant. Incident
responders often deal with hundreds of
Suricata alerts but making sense of them
quickly is challenging,” said Brian Dye,
Chief Product Officer at Corelight. “Zeek
brings rich network evidence together
with Suricata’s extensive rules and
signature language, making it possible
for security teams to rapidly test their
hunting hypotheses and turn discoveries
into automated threat detections.”
Corelight’s new integrated Suricata log
includes the Unique ID (UID) familiar
to Zeek users, which means an analyst
can pivot directly from a Suricata alert
directly into any of the Zeek logs to
leverage powerful evidence about email,
web traffic, SSL, DHCP, DNS and dozens
of other data types inherent to Zeek.
“To achieve our vision of extensible
data and community engagement, we
rely on open-source software, with
enterprise-grade features added for
easy deployment, security, integration,
performance and extensibility,” said Dye.
“The Open Information Security
Foundation is excited to welcome
Corelight into the Consortium. Corelight
and Zeek are long-time and respected
members of the Suricata community,
and we are thrilled to be part of this
exciting new solution in the network
defender’s arsenal,” said Dr Kelley
Misata, President and Executive
Director of OISF.
Seamless integration of Suricata into
the Corelight AP 3000 Sensor makes
it possible for sophisticated security
teams to rely on a single data source for
unlocking advanced analysis capabilities
in an easy to deploy form factor.
Beyond the functional integration to
accelerate incident response, Corelight
has engineered Zeek and Suricata to
use a shared CPU architecture to ensure
that sensor performance scales with
traffic growth.
Also included in the launch are
enhancements to the Corelight
Encrypted Traffic Collection (ETC).
The Corelight ETC is designed to expand
defenders’ incident response, threat
hunting and forensics capabilities in
encrypted environments by generating
insights around SSH and TLS traffic that
indicate potential security risk. u
intelligent NETWORK SECURITY
www.intelligentciso.com | Issue 28
59