How do you know?

By Charles Strauss, Senior Brand Copywriter, Corelight

Can you be sure attackers aren’t hiding in your encrypted traffic? Can your investigators go back 18 months ago to find what they need? Do your DNS queries all have responses, and are they what you expected? Do your alerts mean something, or nothing?

How do you know? 

It’s a fundamental question in enterprise security. Why? Imagine the two following shops.

The first SOC has deployed dozens of solutions from leading security vendors over the last decade, focusing on detecting and stopping intrusions, malware, and exfiltration.

The second SOC has deployed the same tools; however, they know that some attackers will get through no matter what. Their strategy is based on this reality: they collect evidence above and beyond standard alerts. They emphasize network monitoring because networks can’t be fooled, and it’s tough to do much — like deploy malware or exfil data — without traversing them.

Now pretend you’re the CISO at each of these organizations, and an incident occurs. How do you find out — and prove — that you’ve been compromised? Or that you haven’t? Do you have evidence that can go all the way back to when an event started? How do you know?

The second SOC will have good answers to these questions because they’ve been observing networks and collecting the right evidence for years, not just for particular attacks. 

The same is true at the most sophisticated shops. They have a data-first strategy that allows them to understand their networks and spot anomalies. It gives their analysts all the evidence they need to quickly close investigations without misclassifying incidents. And it enables their hunters to pivot with the intelligence to expose breaches before they happen. But making all that happen isn’t easy, at least without Corelight.

Corelight delivers the gold standard for network evidence that’s complete, interlinked, and lightweight — exactly what elite SOCs use. Plus, Corelight is easy to deploy and manage, and works with the tools and processes you already have. With our evidence, you can ask all kinds of interesting questions that are typically be hard (or impossible) to resolve, including:

• Is C2 happening right now in your Tennessee manufacturing site? 
• What’s that unusually large encrypted traffic flow to China? 
• Your CEO got spear phished, was anyone else affected? 

Give your security team Corelight evidence and they’ll have the answer to almost any question about your networks at their fingertips. Not only will everyone be more effective every day, they’ll  also build a lasting advantage over adversaries. 

Corelight is how you know.

*** This is a Security Bloggers Network syndicated blog from Bright Ideas Blog authored by Charles Strauss. Read the original post at: https://corelight.blog/2021/05/18/how-do-you-know/