How Corelight's anomaly detection enhances network security

Signature-based detections provide fast, effective defense against known attacks. But the threat landscape is rapidly changing: Attackers are utilizing novel, sophisticated techniques that can bypass traditional, signature-based detection methods and also weaponizing legitimate tools and processes to avoid established detection tools, including endpoint detection. In this dynamic environment, organizations must in turn deploy new detection techniques to keep pace. Specifically, they need to complement signature-based detections with behavior-based detections, which enable security teams to identify and mitigate malicious activities by analyzing patterns and anomalies in user and system behavior.

What is Corelight's anomaly detection?

Forrester suggests that “stored data (primarily logs) is only as good as your ability to analyze it” (Trends Report: The Modern Definition of NAV, 2024). Corelight's evidence-driven analytics provide comprehensive network visibility to help surface threats from a sea of evidence. Anomaly detection is a piece of its multi-layered detection strategy. Corelight’s detection engine combines anomaly detection, machine learning, behavioral analytics, signatures, and threat intelligence—delivering more deterministic, high-confidence alerts compared to probabilistic approaches.

Integrated into Corelight Sensors, anomaly detection utilizes unsupervised machine learning to establish a baseline of normal network behavior and then alerts on deviations.

How does it work?

Corelight's anomaly detection operates on the principle of unsupervised learning:

1. Establish a baseline. The system monitors network data over a 31-day period to learn what "normal" looks like. This process involves analyzing unlabeled network data without any human intervention or data labeling.
2. Unsupervised learning. Using unsupervised machine learning algorithms, the system identifies patterns and behaviors in the network data. It groups network behaviors and identifies what's typical.
3. Alert on deviations. Once the baseline is established, the system starts alerting on deviations from normal network activity. These alerts surface potential threats that might otherwise go unnoticed where attackers use legitimate tools in malicious ways.
4. Peer group modeling. To further refine detection and reduce false positives, Corelight groups together devices and subnets with similar activities. Anomalous activity is then measured not just against an individual entity's history but also against its peer group’s history. If the activity is anomalous to both, an alert is generated. If it's only anomalous to the individual but not the group, it's likely a benign deviation, and no alert is raised.

Detecting evasive threats

Anomaly detection uncovers elusive threats hiding amongst normal activity by identifying deviations from the established baseline, such as insider threats and attackers using living off the land techniques. Additionally, anomaly detection:

1. Accelerates investigation and response. Reconstruct events from anomalous activity with rich contextual data, enabling faster incident resolution.
2. Enables proactive threat hunting. Actively seek out anomalies to reduce attacker dwell time and proactively identify hidden threats.
3. Reduces time spent on false positives. Peer group modeling helps minimize unnecessary alerts, allowing security teams to focus on higher fidelity anomalies

The Corelight Open-NDR Platform

Corelight delivers high-fidelity network detections, prioritizing critical threats and abnormal behavior. Anomaly detection is a key component of the evidence-driven and adaptive multi-layer detection engine which provides deep network insights, enabling faster threat detection and response, and reduced attacker dwell time. By leveraging open-source technologies like Zeek®, Suricata®, and YARA, Corelight provides deep network insights and empowers security teams to make informed decisions, reducing attacker dwell time and improving overall security posture. Combining unsupervised machine learning and peer group modeling with signature based detection, behavioral analysis, and threat intelligence, Corelight provides a robust and in depth detection tool for identifying evasive threats and enhancing overall security posture.

*Anomaly detection is enabled for AP 3000 Series Appliance Sensors and AP 5000 Series Appliance Sensors