Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

How to use Corelight and Zeek logs to mitigate RDS/RDP vulnerabilities

By Richard Bejtlich – May 22, 2019

Introduction On May 14 Microsoft released patches for, and details about, a remote code execution vulnerability in Remote Desktop Services (RDS), the graphical interactive desktop offered with most Windows operating system platforms. This... Read more »

Network Security Monitoring, a requirement for Managed Service Providers?

By Richard Bejtlich – May 20, 2019

Over the last six months, we’ve read in the security press about a variety of managed service providers (MSPs) being compromised by nation-state and criminal actors. Some examples: Read more »

Do you know your NSM data types?

By Richard Bejtlich – April 29, 2019

When I first began writing about network security monitoring in 2002, I based my understanding on my experience in the Air Force Computer Emergency Response Team (AFCERT) and the tools and processes we used to detect criminal and nation-state... Read more »

Is IPS a feature or a product?

By Richard Bejtlich – April 1, 2019

This post is a departure from previous editions. It is inspired by discussions I’ve had recently with a few different online and in-person communities. I will present my view on the topic, but I’m more interested in hearing what readers think! Read more »

Corelight + Chronicle Backstory: Technology integration brings all the right data at the right time for customers

By Allen Male – March 25, 2019

At the recent RSA Conference, Chronicle launched Backstory, a new security analytics platform, and we are pleased to share that Corelight is part of the Chronicle Index Partner program. Read more »

First, Do No Harm

By Richard Bejtlich – March 13, 2019

When we hear the phrase “first, do no harm,” most of us think of the Hippocratic Oath and its guidance for physicians. I was surprised to learn that the phrase as translated does not actually appear in the Greek, and that the origins are more... Read more »

Astronomers and Chemists

By Brian Dye – February 27, 2019

Scale is a great word, because its meaning is truly in the eye of the beholder. To an astronomer, it might mean millions of light years. To a chemist, nanometers. In the network security monitoring (NSM) world, Corelight is enabling scale in two... Read more »

Examining aspects of encrypted traffic through Zeek logs

By Richard Bejtlich – February 18, 2019

In my last post I introduced the idea that analysis of encrypted HTTP traffic requires different analytical models. If you wish to preserve the encryption (and not inspect it via a middlebox), you have to abandon direct inspection of HTTP payloads... Read more »

Network security monitoring is dead, and encryption killed it.

By Richard Bejtlich – January 28, 2019

This post is part of a multi-part series on encryption and network security monitoring. This post covers a brief history of encryption on the web and investigates the security analysis challenges that have developed as a result. I’ve been hearing... Read more »

Monitoring. Why Bother?

By Richard Bejtlich – January 14, 2019

In response to my previous article in this blog series, some readers asked “why monitor the network at all?” This question really struck me, as it relates to a core assumption of mine. In this post I will offer a few reasons why network owners have... Read more »