In today's ever-evolving landscape of cybersecurity threats, network visibility and threat hunting have become paramount for organizations seeking to protect their valuable assets and sensitive data.
Corelight, a network detection and response (NDR) provider, was recently named a 2023 Cyber Top Innovations Award Winner. We sat down with Bernard Brantley, the Chief Information Security Officer at Corelight. In this Q&A, we delve into the fundamental security problems that Corelight aims to solve and how the company's solution is differentiated in the market.
What problem is Corelight solving?
Corelight offers the industry’s first open network detection and response (NDR) platform. Its powerful NDR solutions transform network traffic into rich logs, extracted files and security insights for more effective incident response, threat hunting and forensics. Defenders at critical government, financial and infrastructure organizations leverage Corelight to capture everything on their networks in extraordinary detail. This evidence is highly structured, interlinked, and spans years so customers can understand their networks and spot anomalies—not just specific attacks, in the present but more importantly in the past. Our data allows cyber defenders to determine exactly when and where impact began giving security teams higher confidence in their ability to resolve and root cause security incidents. Corelight network evidence is simple enough for anyone to use, and can be deeply integrated with detections.
Earlier in my career, I worked hard to correlate network data with alerts from multiple systems to gain contextual clarity around security events. Today Corelight has formed alliances with both Microsoft and Crowdstrike for maximized attack visibility, faster investigations, better detections and less alert fatigue. Corelight transforms network traffic into comprehensive, protocol-rich evidence that analysts can use to optimize their threat detection and response capabilities directly within the Microsoft Defender, Sentinel and Crowdstrike consoles. By correlating metadata from over 50 protocol logs, Corelight gives SOC teams a clear picture of all network activity across their organization, including all IT, IoT and ICS networks, so they can find and respond to threats quickly and easily.
Why should customers consider investing in Corelight?
Customers invest in Corelight to help reduce risk and the associated costs of managing a complex cybersecurity strategy. Our platform drives a) consolidation of legacy/disparate IDS and PCAP solutions, b) automation of core SOC capabilities and c) more efficient use of existing toolsets (SIEM, XDR) to better manage people, tools and process costs. Our compact yet rich evidence is 50x the depth of NetFlow, yet 1% of the PCAP volume which drives both cost and risk down. To further reduce cybersecurity risk, Corelight provides both new evidence such as encrypted traffic insights, ICS/OT protocols and app ID to reduce blind spots in network visibility. Interlinking data with alerts immediately reduces noise (and fatigue) and allows customers to drive MTTD/MTTR down and incident closure rates up.
How well is Corelight meeting the needs of its customers?
Corelight provides security teams with network evidence so they can protect the world’s most critical organizations and companies, including Fortune 500 companies, major government agencies and large research universities. Corelight removes blindspots in customer networks by providing the industry’s broadest set of evidence from both proprietary and community (open source) sources. This, combined with a scalable architecture (1G to 100G), our ability to interlink evidence from data logs with alerts and our dedicated support infrastructure, are key drivers in the high NPS scores and 100%+ net retention rate. Corelight customers have open, unrestricted access to all the evidence behind every alert and to all evidence across their environment to maximize knowledge and their investigative capabilities and speed. Customers also enjoy a force multiplication advantage by leveraging the power of continuous analytics engineering from open-source Suricata and Zeek communities, who develop everything from rapid zero-day detections to new protocol analyzers. Additionally, Corelight customers can easily modify the platform’s capabilities, such as building custom detections and also integrate the platform with their favorite security tools thanks to the open, extensible nature of the underlying technologies used.
Are efforts underway to continue developing and strengthening the platform?
Corelight is continuing to invest heavily in expanding features that drive increased visibility, improve detection coverage and accuracy, accelerate incident response and reduce operational costs.
This includes cloud/SaaS-based solutions and artificial intelligence to address increased customer requirements for network monitoring in hybrid cloud environments and enable customers to use AI to detect a wider range of sophisticated attacks.
Corelight now also offers a full range of advanced machine learning (ML) models across all form factors, from SaaS, to the network edge, to the datacenter. By leveraging GPT directly into the analyst experience, Corelight is able to empower all users regardless of their sophistication to immediately recognize and understand complex attack patterns and potential remediations.
Corelight’s customers are telling us that our approach to GPT integration is solving a real problem, and this is only the beginning of what's possible.
What are the top 4 differentiators of the Corelight platform?
1. Complete visibility- Corelight provides a commanding view of your organization and all devices that log onto your network, delivering visibility into every connection to give a complete understanding of your network. Our out-of-band sensors parse all North-South and East-West traffic, turning it into rich, correlated, security-specific evidence that goes back months, not days.
2. Next-level analytics- Corelight delivers a comprehensive suite of network security analytics that help organizations identify more than 75 adversarial TTPs across the MITRE ATT&CK spectrum. These detections reveal known and unknown threats via hundreds of unique insights and alerts across machine learning, behavioral analysis and signature-based approaches. Drawing on continuous detection engineering from the open source community, Corelight gives analysts the evidence they need to investigate alerts and threat hunt.
3. Faster investigation- Corelight’s rich, pivotable telemetry covers everything that crosses your network, so your analysts can make connections and find out what really happened, quickly and confidently. Every alert is combined with evidence to accelerate decisions to help you get through backlogs faster and allow your team to cut through the queue and focus on high-priority work.
4. Expert hunting- Corelight discovers undocumented devices, spots adversaries, and makes decisions on unmitigated risk—before the attack happens. Corelight provides the context that SOC teams need to reduce dwell time and find hidden attacks—yet it is lightweight enough to be stored for years.
###