By Vince Stoffer, Senior Director, Product Management, Corelight This week’s launch of version 18 of our software features the Encrypted Traffic Collection, our first collection of a series of detections and data enrichments created by the Corelight research team. This collection focuses on SSH, SSL/TLS certificates, and insights into encrypted network sessions. SSH Inferences The […]
Tag Archives: Zeek
New Corelight App for Splunk: Making network-based threat hunting easier
By Ed Smith, Senior Product Marketing Manager, Corelight Want to use Zeek (formerly Bro) network data in Splunk ES, but don’t know how to start or where to look? Need to quickly narrow down Zeek logs from a mountain, to a hill, to a handful? Want to avoid hours of work mapping Corelight key-value pairs […]
A Network Engineer in a Zeek Week World
By Sarah Banks, Senior Director of Product Management, Corelight With almost two decades of networking experience, I recently made my first foray into a security-centric user conference at Zeek Week, an annual conference for the user community of the open source network security monitoring platform known as Zeek (formerly Bro) held last month in Seattle. […]
An attack or just a game? Corelight can help you tell the difference quickly
By Richard Bejtlich, Principal Security Strategist, Corelight When we think about using Corelight data, our mental models often fixate on finding evidence of suspicious and malicious activity. This makes sense, as network security monitoring data generated by Corelight and Zeek combines the granularity of high-fidelity traffic evidence with the compact features of storage-friendly data. However, […]
Don’t Delay – Corelight Today!
By Richard Bejtlich, Principal Security Strategist, Corelight Introduction Recently I heard that a company interested in Corelight was considering delaying their evaluation because of questions about SIEM technology. They currently have two SIEMs and are evaluating a third, possibly to replace the first two. They believed that they needed better clarity about SIEMs as a […]
What did I just see? Detection, Inference, and Identification
By Richard Bejtlich, Principal Security Strategist, Corelight In the course of my network security monitoring work at Corelight, I’ve encountered the terms detection, inference, and identification. In this post I will examine what these terms mean, and how they can help you describe the work you do when investigating normal, suspicious, and malicious activity in […]
Profiling Whonix
By Richard Bejtlich, Principal Security Strategist, Corelight Introduction This week I read a story announcing that the latest edition of Whonix had been released. I had heard of Whonix, but had never tried it. I knew it was a Linux distribution that tried to make it as easy and safe as possible to anonymize online […]
Bring Network Security Monitoring to the Cloud with Corelight and Amazon VPC Traffic Mirroring
John Gamble, Director of Product Marketing, Corelight Corelight Sensors transform network traffic into comprehensive logs, extracted files, and custom insights via Zeek, a powerful, open-source network security monitoring framework used by thousands of organizations worldwide to accelerate incident response and unlock new threat hunting capabilities. While the sensors we’ve released to date have supported physical […]
Investigating the Effects of TLS 1.3 on Corelight Logs, Part 2
By Richard Bejtlich, Principal Security Strategist, Corelight Introduction Welcome to part 2 of my three-part series on TLS. In the previous article I briefly introduced TLS, and showed how Corelight would produce logs for a clear-text HTTP session. In this article I will perform the same transaction using TLS 1.2, and compare the logs with […]
Investigating the Effects of TLS 1.3 on Corelight Logs, Part 1
By Richard Bejtlich, Principal Security Strategist, Corelight Introduction I’ve written previously about Corelight data and encryption. I wanted to know how TLS 1.3 would appear in Corelight data, and compare the same network conversation over clear-text HTTP, TLS 1.2, and TLS 1.3. In this first of three parts, I will introduce TLS and demonstrate a […]