Smart PCAP and threat detection in the cloud

I am thrilled to publicly launch Corelight software version 22, which introduces a transformative new security product, Smart PCAP, and also enables threat detection in the cloud by extending Corelight’s Open NDR support for Suricata across Corelight Cloud and Virtual Sensors. 

Smart PCAP

“Faster, better, cheaper — pick two,” goes the old adage. It is rare, but not impossible to find products that deliver on all three promises and today I am pleased to introduce such a product: Smart PCAP

Corelight purpose-built this new packet capture technology for security teams and it delivers up to 10x the packet lookback window at 50% of the cost compared to full PCAP. Moreover, we’ve interlinked packets with our alerts and log evidence to give analysts one-click packet retrieval from their SIEM to accelerate security investigations.

How does it work? It uses Corelight’s Zeek DPI engine under the hood to support dozens of comprehensive and resilient PCAP levers that analysts can use to configure and deploy a new capture rule in under a minute, with adjustable capture byte depth and IP/protocol specificity. Capture rules supported by Smart PCAP include: 

  1. Capture the first 2,000 bytes of all unencrypted traffic, regardless of port/protocol
  2. Capture the entirety of all TCP and UDP connections that are not already logged by Corelight’s protocol parsers
  3. Capture packets related to lateral movement detections 
  4. And many, many more…

If an organization deploys Corelight Smart PCAP and only configures the first and second capture rule above then analysts will have a source of network evidence for every connection that crosses the wire in the form of a Corelight log, captured packets, or both!  With Corelight’s comprehensive protocol logs and Smart PCAP, defenders can achieve 100% visibility and investigate network activity that occurred months, even years, in the past.

Join me for a special webinar on August 25th to learn more.

Register now >>

Threat Detections in the Cloud

Security teams often struggle to correlate alerts with evidence, especially in cloud environments where network visibility can be tricky to instrument. Today I am happy to announce we’ve extended Corelight support for our Suricata offering to Corelight Cloud and Virtual Sensors, which gives defenders the upper hand by integrating alerts directly into Corelight’s log evidence for fast investigations.

Some things just go better together like chocolate and peanut butter, so do Zeek and Suricata. While signature-driven threat detection technology may seem antiquated it still remains an effective tool in SOC arsenals for detecting broad-based attacks. Moreover, when it’s open source like Suricata, signature technology shines, especially in fast detection response to novel threats. 

Consider, for example, when the SUNBURST attack on SolarWinds was announced, organizations using Suricata had access to free community signatures to detect active SUNBURST infections within 24 hours of public disclosure while other organizations were left waiting for their proprietary detection vendors to engineer and release new SUNBURST detection capabilities, which in some cases took the better part of a week. 

As we like to say at Corelight: detecting together is detecting faster. 

By John Gamble, Director of Product Marketing, Corelight

*** This is a Security Bloggers Network syndicated blog from Bright Ideas Blog authored by John Gamble. Read the original post at: