Corelight Bright Ideas Blog: NDR & Threat Hunting Blog

Network Security Monitoring, a requirement for Managed Service Providers?

By Richard Bejtlich – May 20, 2019

Over the last six months, we’ve read in the security press about a variety of managed service providers (MSPs) being compromised by nation-state and criminal actors. Some examples: Read more »

Do you know your NSM data types?

By Richard Bejtlich – April 29, 2019

When I first began writing about network security monitoring in 2002, I based my understanding on my experience in the Air Force Computer Emergency Response Team (AFCERT) and the tools and processes we used to detect criminal and nation-state... Read more »

Is IPS a feature or a product?

By Richard Bejtlich – April 1, 2019

This post is a departure from previous editions. It is inspired by discussions I’ve had recently with a few different online and in-person communities. I will present my view on the topic, but I’m more interested in hearing what readers think! Read more »

First, Do No Harm

By Richard Bejtlich – March 13, 2019

When we hear the phrase “first, do no harm,” most of us think of the Hippocratic Oath and its guidance for physicians. I was surprised to learn that the phrase as translated does not actually appear in the Greek, and that the origins are more... Read more »

Examining aspects of encrypted traffic through Zeek logs

By Richard Bejtlich – February 18, 2019

In my last post I introduced the idea that analysis of encrypted HTTP traffic requires different analytical models. If you wish to preserve the encryption (and not inspect it via a middlebox), you have to abandon direct inspection of HTTP payloads... Read more »

Network security monitoring is dead, and encryption killed it.

By Richard Bejtlich – January 28, 2019

This post is part of a multi-part series on encryption and network security monitoring. This post covers a brief history of encryption on the web and investigates the security analysis challenges that have developed as a result. I’ve been hearing... Read more »

Monitoring. Why Bother?

By Richard Bejtlich – January 14, 2019

In response to my previous article in this blog series, some readers asked “why monitor the network at all?” This question really struck me, as it relates to a core assumption of mine. In this post I will offer a few reasons why network owners have... Read more »

Network Security Monitoring: Your best next move

By Richard Bejtlich – December 10, 2018

Welcome to the first in a regular series of blog posts on network security monitoring (NSM). Read more »

Network security monitoring vs supply chain backdoors

By Richard Bejtlich – October 3, 2018

On October 4, 2018, Bloomberg published a story titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” with a subtitle “The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by... Read more »

Twenty years of network security monitoring: from the AFCERT to Corelight

By Richard Bejtlich – September 10, 2018

I am really fired up to join Corelight. I’ve had to keep my involvement with the team a secret since officially starting on July 20th. Why was I so excited about this company? Let me step backwards to help explain my present situation, and forecast... Read more »