San Francisco, CA, USA
May 25, 2022   |  By Nick Hunter
This morning we announced Corelight Investigator, an open NDR platform that enables security teams with the next-level evidence they need to disrupt attacks and accelerate threat hunting through an easy-to-use, quick-to-deploy SaaS solution. How does it work? Investigator combines battle-tested network evidence with intelligent alert scoring to deliver prioritized alerts tied to correlated evidence, enabling analysts to cut through the queue and accelerate incident response.
May 20, 2022   |  By Corelight Labs Team
CISA released a warning to federal agencies on May 18 that APT actors are actively exploiting recent vulnerabilities found in VMware, including CVE-2022-22954. Your first thought may have been to want new signatures, indicators, and/or behavioral techniques to detect attempted and successful exploits. If you’re a Zeek user or Corelight customer, you’ll find that sometimes you’re already getting what you need.
May 18, 2022   |  By Gregory Bell
American novelist F. Scott Fitzgerald famously wrote that “the test of a first-rate intelligence is the ability to hold two opposing ideas in mind at the same time, and still retain the ability to function.” All experienced security practitioners learn to master this mental trick. On the one hand, they believe efforts to prevent and detect breaches will be effective. On the other hand, they diligently prepare for the day when their efforts will fail.
May 17, 2022   |  By Corelight Labs Team
CVE-2022-26809 was patched in Microsoft’s previous Patch Tuesday (April 12) and it’s a doozy: remote code execution on affected versions of DCE/RPC hosts. The vulnerability attracted a lot of attention in the security community, both because of its severity but also because it appears to be really hard to trigger.
May 12, 2022   |  By Vijit Nair
Corelight is pleased to announce our integration with AWS’s Traffic Mirroring to Gateway Load Balancer (GWLB) Endpoint as a Target. This integration simplifies the monitoring of network traffic and generating Corelight data in massively scaled-out public cloud environments. When it comes to monitoring network traffic today, we see two primary deployment patterns, each with their own pain points.
May 10, 2022   |  By Stan Kiefer
Editor’s note: This is the latest in a series of posts we have planned over the next several weeks where we explore topics such as network monitoring in Kubernetes, using sidecars to sniff and tunnel traffic, show a real-world example of detecting malicious traffic between containers, and more! Please subscribe to the blog, or come back for more each week.
May 5, 2022   |  By Richard Bejtlich
What do I say if my team discovers a breach of our digital assets? This is a question that requires understanding “defensible disclosure,” a term first employed in the statistical, medical, legal, and financial communities.* Understanding what this term means and how to live up to its expectations is key in an age where organizations regularly handle intrusions and, sometimes, suffer breaches.
Apr 21, 2022   |  By Al Smith
Monitoring container traffic and extracting rich security-centric metadata provides SOC analysts an inviolable source of truth for threat detection and incident investigation. This data complements the deep visibility provided by container agents and broad visibility through monitoring audit logs.
Apr 21, 2022   |  By Corelight Labs Team
This month, Microsoft announced two vulnerabilities in portmap, which is part of ONC RPC, on Windows systems. This blog will discuss Zeek detection packages for CVE-2022-24491 and CVE-2022-24497 developed by Corelight Labs.
Apr 19, 2022   |  By Ed Smith
Now available: A free and easy way to learn about Humio and Corelight. As part of our alliance partnership with CrowdStrike and Humio, Corelight is excited to announce a new collaboration that allows our customers and the community to experience the value of evidence.
May 25, 2022   |  By Corelight
The only evidence-first threat investigation platform Investigator is a SaaS-based network detection and response (NDR) solution that combines comprehensive network evidence with machine learning and other analytics integrated into a fast, intuitive search platform to accelerate threat hunting and incident response and consolidates legacy toolsets.
Apr 29, 2022   |  By Corelight
Unmanaged endpoints, vendor security appliances, cloud instances, and IoT devices often lack endpoint protection, creating hiding places that attackers exploit. Using Humio to correlate Falcon endpoint data with Corelight network evidence improves detection capabilities for all of your devices, and makes investigators and hunters faster.
Apr 29, 2022   |  By Corelight
As one of the hottest new buzzwords in the infosec space, XDR means many things to many people. This talk will discuss all of the possible components of an XDR solution through the lens of SOC operations, laying out the pros and cons of various approaches such as SaaS vs on-premise, specialized vs general tooling, etc. for organizations of different size, funding, and maturity levels. Best practice suggestions will be provided throughout, from general principles to specific integration code.
Apr 20, 2022   |  By Corelight
XDR - Extended detection and response - promises to integrate data from any source to stop today's sophisticated and often automated attacks. The key is: Which source? Register for this exclusive session for insights on why network evidence must be a key part of your XDR strategy. Topics to be discussed include how to: Walk away with new ideas on how to stay ahead of ever-changing attacks by using a data-first strategy for detection and response.
Mar 23, 2022   |  By Corelight
With the threat of Russian cyberattacks on the rise, it’s essential for defenders of critical infrastructure to pressure test their cyber defense capabilities. In this webcast, Corelight's Alex Kirk reviews the specific techniques, tactics, and procedures that defenders should monitor in order to identify and disrupt attacks in their environment. Alex has a long and storied career as a cybersecurity professional, including a recent volunteer engagement training Ukrainian cyberdefenders this past fall.
Mar 23, 2022   |  By Corelight
The state of cloud security is evolving. Many organizations are implementing new and more advanced cloud security services that offer cloud-focused controls and capabilities, including services and tools that provide network connectivity and security for end users and office locations, security monitoring and policy controls, and identity services, among others.
Mar 11, 2022   |  By Corelight
The years 2020 and 2021 were undoubtedly the years of ransomware. Threat actors wasted no time taking advantage of the chaos caused by the COVID-19 pandemic, launching attacks that netted millions (if not billions) of dollars in extortion fees and leaked a record amount of data from victim organizations. On this webcast, we will look at how ransomware defenses have changed from 2020 through 2022. The webcast will also explore ransomware threat actor changes, current trends, and how to implement defenses against those trends.
Feb 28, 2022   |  By Corelight
Attackers have already found thousands of potential ways to obfuscate their log4j attacks, which are sweeping the Internet at breakneck speed. SOCs protecting still-vulnerable assets have a duty to chase down every alert for it that pops up - which are coming in at a rate of tens or hundreds of thousands of times a day for larger enterprises. This webcast will covers how a data-driven strategy can automate that insurmountable task into a process that quickly reveals systems that actually responded to the attack - letting teams focus on the alerts that matter the most.
Feb 24, 2022   |  By Corelight
An advanced adversary has bypassed the perimeter defenses, moved inside the environment, and become a literal ghost in the machine, free to move from system to system.... searching for its next target. This is a scenario that every SOC fears, and it presents a daunting threat hunting challenge. But, as we will demonstrate, it doesn't have to.
Feb 2, 2022   |  By Corelight
New Age Network Detection: Keeping pace with the Evolution of Tech Infrastructure New approaches to network detection and response to address increasing attacker sophistication and cloud-based resources. How advances in analytics help organizations detect attacks in encrypted traffic and identify command and control traffic. The advantage of an open data approach is to integrate with existing detection capabilities.

Corelight gives you the high ground—a commanding view of your network that lets you outsmart and outlast adversaries.

From the Acropolis to the edge of space, defenders have sought the high ground in order to see farther and turn back attacks. Corelight delivers a commanding view of your network so you can outsmart and outlast adversaries. We capture, interpret, and connect the data that means everything to defenders.

Corelight gives apex defenders the information and tools they need to successfully detect and respond to threats. Corelight is built on Zeek, an open-source, global standard technology. Zeek provides rich, structured, security-relevant data to your entire SOC, making everyone from Tier 1 analysts to seasoned threat hunters far more effective.

The Open NDR Platform:

  • Suricata: Suricata generates alerts that we embed directly into Zeek logs, putting every detection intocontext to save time, cut alert backlogs, and improve analytics.
  • Zeek: The Zeek open source network security monitor generates lightweight metadata and detections to enable threat hunting and speed incident response.
  • Smart PCAP: Smart PCAP links logs, extracted files, and insights with just the packets you need, to reduce storage costs while expanding retention times by a factor of 10.

Faster investigations, more effective threat hunts with the world's best network evidence.