CONTACT US
forrester wave report 2023

Close your ransomware case with Open NDR

SEE HOW

Download our free guide to find hidden attackers.

Find hidden attackers with Open NDR

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

corelight partner programe guide

Corelight's partner program

VIEW PROGRAM

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Corelight & Microsoft Defender for IoT: Through an XDR lens

What is the XDR paradox? It’s the hottest term in security but there is no consensus yet on the right definition. Why is that? Many organizations have deployed EDR and are benefiting from it, but also looking to the gaps that EDR can’t address such as unmanaged / compromised devices or network-centric TTPs. Likewise, many vendors of EDR / SIEM products have realized they have the same general workflow (analyze data, present an alert, triage it, etc). As a result, different vendors are starting to cross-pollinate the EDR / NDR / SIEM markets, resulting in plenty of debate about what “XDR” really means and why.

Our view is simple: what matters here is the underlying data. That data dictates which TTPs can be found, which threat hunting workflows are possible and what security-adjacent use cases are supported. Among the “canonical” security data sources, network data is critical to support zero trust rollouts, threat hunting programs, SOC automation initiatives, or analytics work. Simply put, the endpoint is great for depth but needs the network for breadth: enabling cost effective visibility, broader MITRE analytics coverage and accelerating incident response for both known and unknown threats.

Our partnership with Microsoft’s new Defender for IoT offering is a proof point of both the XDR market dynamics and the power of the right data. The Defender platform already has a data lake, analytics team, and sophisticated incident response capabilities. They have extended that platform to embrace network-centric workflow and analytics. This included working with Corelight to ensure that our mutual customers can maximize the impact of the Defender platform - after all, the best data enables the best analytics!

Why Corelight then? We founded the company around Zeek®, which was already the de-facto standard for network traffic analytics. Unlike a rigid standard though, it is constantly growing and evolving - curated and used by the world’s elite defenders. Since those beginnings we invested to improve and extend the insight we provide using a combination of novel network data, behavioral analytics (ranging the spectrum from machine learning to heuristics to signatures), and integrated forensics support (such as Smart PCAP). Throughout, we have followed the design patterns of the sophisticated open source community and focused on enabling faster incident response, more successful threat hunting and broader MITRE tactic coverage.

Our focus is to ensure that defenders everywhere both have the best network INSIGHT available to help them and can ACCESS that insight in the best way possible for them. That accessibility is core to our OpenNDR strategy and our excitement about this Microsoft Defender for IoT partnership. Simply put, giving analysts access to great data in an existing platform / familiar UI results in less technology proliferation, more efficient analyst training and better automation leverage for security engineering teams. That could be through your SIEM, your MSSP or now Microsoft Defender for IoT. Because while the approach will vary, the need for great network insight is consistent - and there is no better source for that insight than Corelight. 

It’s not about us … it’s about you. Happy (threat) hunting!

By Brian Dye, CEO of Corelight

Recent Posts