TMCnet News

Corelight Expands Threat Hunting Capabilities with New Encrypted Traffic Insights
[November 19, 2019]

Corelight Expands Threat Hunting Capabilities with New Encrypted Traffic Insights


SAN FRANCISCO, Nov. 19, 2019 /PRNewswire/ -- Corelight, provider of the most powerful network traffic analysis (NTA) solutions for cybersecurity, today launched the Corelight Encrypted Traffic Collection (ETC) empowering threat hunters and security analysts with rich and actionable insights for encrypted traffic.

Corelight, the leading provider of the most powerful network traffic analysis (NTA) solutions for cybersecurity

"As the use of encryption continues to rise, defenders need some light in the darkness to separate legitimate behavior from malicious activity when decryption is not an option," said Brian Dye, chief product officer for Corelight. "This is not simply about detections, this is about a layering of data and insights that our customers need to access in order to make critical security decisions."

Corelight's ETC expands defenders' incident response, threat hunting and forensics capabilities in encrypted environments by generating insights around SSH and TLS traffic that indicate potential security risk. The collection contains numerous packages developed by Corelight's Research Team as well as curated packages from the open-source Zeek community.

This collection builds on Zeek's already extensive capabilities for analyzing encrypted traffic, such as certificate metadata, JA3/HASSH fingerprints, and dedicated SSL/x.509 logs. Features, and the relevant MITRE ATT&CK category each covers, include:

  • SSH client brute force detection - supports threat hunting for Access techniques by revealing when a client makes excessive authentication attempts.
  • SSH authentication bypass detection - reveals when a client and server switch to a non-SSH protocol, a tactic used in Access attempts.
  • SSH client keystroke detection - reveals an interactive session where a client sends user-driven keystrokes to the server, which may be an indication of Command and Control activity.
  • SSH client file activity detection - reveals a file transfer occurring during the session where the client sent a sequence of bytes to the server or vice versa, which could indicate either Staging or Exfiltration activity.
  • SSH scan detection - accelerates threat hunting for Access techniques by inferring scanning activity based on how often a single service is scanned.
  • SSL certificate monitoring - extend's Zeek's existing certificate monitoring capabilities to help defenders limit ttack surface, find vulnerabilities, and enforce internal policy.
  • Encryption detection - accelerate threat hunting by finding unencrypted traffic over commonly encrypted ports/protocols as well as custom / pre-negotiated sessions.



"The Corelight Encrypted Traffic Collection originated through deep customer partnerships that have allowed us access to real world network environments," said Dr. Vern Paxson, creator of Zeek and co-founder of Corelight. "With this data, we can now offer a collection of insights that will help to better inform our customers on the right steps to take in their threat hunting and in their security incident response."

The Encrypted Traffic Collection is available in the Corelight version 18 update, which begins rolling out to customers today. This new version also includes a new sensor management interface (UI) that incorporates new features that make internal compliance reviews easier and accelerate troubleshooting. The new UI mirrors the interface used in the Corelight Fleet Manager product for multi-sensor environments, making retraining unnecessary as a customer's sensor footprint grows.


The company also released a new version of  Corelight App for Splunk to better facilitate network-based threat hunting in Splunk. The free app analyzes Corelight logs to surface leading indicators of security risk across dozens of protocols such as DNS and SSL and aggregate Zeek notices and intel hits in a central dashboard.

Today's launch also extends Corelight Cloud Sensor support to Microsoft Azure environments. Similar to the Corelight Cloud Sensor for AWS launched earlier this year, Corelight's new sensor transforms Microsoft Azure cloud traffic into high-fidelity data for incident response, intrusion detection, forensics and more. It parses dozens of network protocols and generates a much richer, more actionable picture of Azure traffic than low-fidelity flow logs, accelerating security analysts' ability to make sense of traffic and respond to attacks.

"Whether with Microsoft's upcoming Azure Virtual network TAP or agent-based packet brokers, the Corelight Cloud Sensor for Microsoft Azure brings a common data format across all customer environments, whether they are operating with on-prem, virtual or cloud networks," said Dye. "This enables security teams to use a consistent downstream analytics stack and find attackers regardless of environment."

Availability

Corelight software version 18 is now available to customers. More information on each of today's enhancements can be found in the product section of Corelight's website.

The Corelight Research Team has issued a blog post with more details on the technical benefits of the Corelight Encrypted Traffic Collection.

The new Corelight for Splunk app is now available to customers via Splunkbase. More information about the new Corelight for Splunk App is available on the Corelight blog.

About Corelight

Corelight makes powerful network traffic analysis (NTA) solutions that transform network traffic into rich logs, extracted files, and security insights for more effective incident response, threat hunting, and forensics. Corelight Sensors run on Zeek (formerly called "Bro"), the open-source network security monitoring tool used by thousands of organizations. Corelight Sensors simplify Zeek deployment and expand its performance and capabilities. Corelight's global customers include Fortune 500 companies, major government agencies, and large research universities. Corelight is based in San Francisco, Calif. For more information, visit https://www.corelight.com or follow @corelight_inc.

 

Cision View original content to download multimedia:http://www.prnewswire.com/news-releases/corelight-expands-threat-hunting-capabilities-with-new-encrypted-traffic-insights-300959015.html

SOURCE Corelight


[ Back To TMCnet.com's Homepage ]