• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Logo
  • About
  • Bulletins
  • Corelight.com
  • Contact us

Bright Ideas Blog

Bright Ideas Blog

Bright Ideas Blog

Home ›› Industry ›› Using Corelight and Zeek to support remote workers

Using Corelight and Zeek to support remote workers

March 25, 2020 by Richard Bejtlich

By Richard Bejtlich, Principal Security Strategist, Corelight

Due to the tragic Covid-19 pandemic, as we are all experiencing first hand, most governments and health officials are either mandating or encouraging those who can work from home to do so, as part of widespread “social distancing” measures. Remote workers are likely leveraging three sorts of computing models: 

  1. Using the network to access Internet resources not associated with their organization;
  2. Using the network to access Internet resources managed by their organization but hosted by a third party, such as a cloud provider; and
  3. Using the network to access resources hosted by their organization. 

If the organization can technically, legally, and ethically instrument the remote worker’s device, such as a laptop or phone, then the security or information technology staff will have some visibility into the use of the device for all three cases. That visibility will depend on the nature of the logging available and the applications used by the remote worker.

If the organization lacks instrumentation of the remote worker’s device, they will not have visibility into the first case, as those Internet resources are not associated with their organization. For the second case, organization-managed cloud resources, the visibility will depend upon the logging offered by the cloud provider. For the third case, organization-hosted resources, the visibility will depend on the nature of the application, server, infrastructure, and network monitoring deployed by the organization.

There is one exception to the previous guidance. If the organization implements network security monitoring at the remote worker’s location, then they will have some level of visibility into all three cases. However, that is generally not a viable, scalable solution, for a variety of reasons. While it is a good idea to deploy NSM at high-value “target” remote sites, such as senior organizational leadership homes, this is not an approach that would be manageable once the site count enters the high-double or triple digit range.

Accordingly, NSM is most likely to be of value in case three, when remote workers access organization-hosted resources. To accomplish this goal, IT staff may deploy additional infrastructure, such as virtual private network (VPN) concentrators, or other hardware and software to meet increased demand. These systems require observation as well. 

IT and security should have already implemented NSM behind the VPN terminators, i.e., after external traffic has reached the VPN device and extra encryption has been removed. If there is no monitoring at this location, then that should be the first priority!

However, assuming that security teams already see traffic inside the VPN concentrators, what is the next priority?

If an intruder were able to compromise a VPN concentrator, network switch, or router, he or she would gain the advantage over defenders. They could observe, alter, or deny traffic and data when operating with such elevated privilege and access. Therefore, it is imperative that security teams recognize the need to instrument their remote access infrastructure with visibility solutions like Corelight and the Zeek NSM in order to maintain the high ground compared to their adversaries. 

While the traffic to and from such devices should be encrypted, it is not the data being protected that is the concern. The worry is that intruders will attack the devices themselves. Security teams would benefit from reviewing their NSM data to ensure that only authorized parties are interacting with their remote work infrastructure. They should also ensure that the VPN concentrators and other network devices are behaving as expected, and not receiving or initiating unauthorized interactive control sessions with foreign parties. 

We at Corelight wish you and your loved ones all the best in these difficult times.

Filed Under: Industry, Network Security Monitoring Tagged With: covid-19, Network Security Monitoring, network traffic analysis, remote workers, Richard Bejtlich, VPN, Zeek

Contact

  • Contact Us
  • Find a Reseller
  • Headquarters+1(510) 281-0760
  • Sales+1(888) 547-9497

Primary Sidebar

Search

Recent Posts

  • Detecting SUNBURST/Solarigate activity in retrospect with Zeek – a practical example
  • Finding SUNBURST backdoor with Zeek logs & Corelight
  • Introducing the Cloud Sensor for GCP
  • Who’s your fridge talking to at night?
  • Small, fast and easy. Pick any three.

Categories

Archives

Tags

Bro conn.log Corelight Corelight Sensor cybersecurity DNS Elastic encrypted traffic encryption files.log GitHub HTTP HTTPS incident response ja3 ja3s JSON Linux logs MITRE ATT&CK NDR network security Network Security Monitoring network traffic analysis network visibility NSM NTA open source open source community PCAP Richard Bejtlich SANS SIEM SMTP SOC Splunk SSH SSL ssl.log Suricata TCP TLS TLS 1.3 Vern Paxson Zeek

Footer

Use Cases

  • Our Use Cases
  • MITRE ATT&CK
  • Government
  • Enterprise
  • Higher Education
  • Why Corelight

Products

  • Zeek
  • Suricata
  • Collections
  • Appliance Sensors
  • Cloud Sensors
  • Software Sensor
  • Virtual Sensors
  • Fleet Manager
  • Compare to open Source Zeek

Company

  • About Corelight
  • Awards
  • Careers
  • Events
  • News Coverage
  • Media Kit

Resources

  • Support Overview
  • Open A Support Ticket
  • Product Training
  • Case Studies
  • Video
  • Github
  • Scripts + Packages
  • Zeek Community

Follow us

  • facebook
  • twitter
  • linkedin
  • github
  • reddit
  • youtube

Copyright © 2021 · Corelight, Inc. · All rights reserved. · Privacy Policy · Terms of Use