June 24, 2019 by John Gamble
Corelight Sensors transform network traffic into comprehensive logs, extracted files, and custom insights via Zeek, a powerful, open-source network security monitoring framework used by thousands of organizations worldwide to accelerate incident response and unlock new threat hunting capabilities.
While the sensors we’ve released to date have supported physical networks, customers have regularly asked if we could extend these capabilities to their Amazon Virtual Private Cloud (Amazon VPC) infrastructure. Today, I’m excited to announce we can with the introduction of the Corelight Cloud Sensor, deployable in AWS and capable of ingesting traffic directly from the new Amazon VPC traffic mirroring feature launched today at the AWS re:Inforce conference in Boston.
Notably, Amazon VPC traffic mirroring allows customers to mirror Amazon VPC traffic to Corelight Cloud Sensors without needing to deploy and manage 3rd party packet-forwarding agents on their Amazon EC2 instances. This streamlines customer operations, improves scalability, and reduces security risk by duplicating traffic at the Elastic Network Interface (ENI) level. To read more about Amazon VPC traffic mirroring and learn how it supports security and operational functions, please read theAmazon announcement.
You can also register for our July 9th webcast where our product management team will be joined by Anoop Dawani, Product Lead EC2 Networking for AWS, for an in-depth discussion and demonstration of how customers can reduce security risk using Corelight’s network security monitoring capabilities in their Amazon VPC environment.
How specifically do Corelight Cloud Sensors help AWS customers accelerate incident response times and unlock new threat hunting powers? By transforming Amazon VPC traffic packets into a fast, comprehensive data picture consisting of logs and files that lets analysts and analytics alike make quick sense of traffic and move at the speed of attack. Sample use cases include:
● Incident response acceleration – Analysts can use Corelight’s protocol-comprehensive logs to quickly determine if 3rd-party security alerts are valid, diagnose how the attacks occurred, and assess their impact to identify the most expedient containment and remediation strategy.
● Threat hunting for encrypted attacks – Corelight Cloud Sensors comprehensively parse and log encrypted Amazon VPC traffic without breaking and inspecting it, generating separate logs for encrypted protocols like SSL, SSH, and Kerberos and also a log for x.509 certificates. Threat hunters can use these insights to search for and discover self-signed or expired certificates that may lead to an attack discovery and they can also fingerprint SSL connections to whitelist or blacklist them.
● Enabling file-based malware detection – Corelight Cloud Sensors can reassemble and extract files from Amazon VPC traffic in real-time, providing a reliable, deduplicated traffic-fed pipeline for file analysis tools and analysts to uncover file-based threats.
Watch this video to see some of these use cases in action and learn more about the Corelight Cloud Sensor deployment and configuration process with Amazon VPC traffic mirroring.
Sign up now to secure your spot for our July 9th webcast to learn how you can instrument powerful network security monitoring in your Amazon VPC infrastructure.
Tagged With: Zeek, Network Security Monitoring, network traffic analysis, Partnership, NSM, logs, Incident response, SSH, SSL, Announcements, Zeek Logs, Amazon, Product, Amazon Virtual Private Cloud, AWS, Corelight Sensor, Corelight vs. Open-Source, threat hunter, AWS re:Inforce, Cloud Sensor, malware detection