Read the Gartner® Competitive Landscape: Network Detection and Response Report
Read the Gartner® Competitive Landscape: Network Detection and Response Report
START HERE
WHY CORELIGHT
SOLUTIONS
CORELIGHT LABS
Close your ransomware case with Open NDR
SERVICES
ALLIANCES
USE CASES
Find hidden attackers with Open NDR
Corelight announces cloud enrichment for AWS, GCP, and Azure
Corelight's partner program
10 Considerations for Implementing an XDR Strategy
November 19, 2019 by Vince Stoffer
This week’s launch of version 18 of our software features the Encrypted Traffic Collection, our first collection of a series of detections and data enrichments created by the Corelight research team. This collection focuses on SSH, SSL/TLS certificates, and insights into encrypted network sessions.
SSH Inferences
The first package focuses on SSH inferences. With a few clicks the following features can be enabled on the Corelight sensor to provide network traffic analysis (NTA) inferences on live SSH traffic. SSH can be used in many different ways including transferring files, executing a single command, or providing an interactive terminal. Certain features trigger a notice or alert to enable a rapid response. Additionally, for data enrichment, each category will notate the specific types of usage seen for each SSH connection. These will be included in a newly created field in the SSH log called inferences.
Corelight security researcher Anthony Kasza describes the SSH Inferences Package in greater technical detail on the blog this week as well.
TLS Certificate Hygiene
Another package included in the Encrypted Traffic Collection helps to monitor and alert on SSL/TLS certificate policies including:
Tunable configuration options
What may be worth an analyst’s attention at one site may be normal behavior at another. This is one of the core tenets of Zeek’s policy neutral event system. By exposing tunable knobs to customers you get to decide what is worth turning on or being notified about. Both the SSH and TLS packages provide options for controlling notices, disabling specific features, and tuning away noise from false positives.
Futures
While our plans are subject to change, in the following software release (v19) we plan to fill out this Encrypted Traffic Collection with additional packages and features including generalized interactive session detection and more. We look forward to sharing even more of the great work from Corelight Labs in the future.
Vince Stoffer - Senior Director, Product Management, Corelight