Newsroom

Corelight Launches New Encrypted Traffic Insights | Corelight

Written by Kylie Heintz | Nov 19, 2019 2:42:00 PM

Major software release includes enhancements for effective visibility into encrypted traffic as well as launch of new Corelight Cloud Sensor for Microsoft Azure and new Corelight App for Splunk with expanded hunting workflows and insights

San Francisco, Calif. — Nov. 19, 2019 — Corelight, provider of the most powerful network traffic analysis (NTA) solutions for cybersecurity, today launched the Corelight Encrypted Traffic Collection (ETC) empowering threat hunters and security analysts with rich and actionable insights for encrypted traffic.

“As the use of encryption continues to rise, defenders need some light in the darkness to separate legitimate behavior from malicious activity when decryption is not an option,” said Brian Dye, chief product officer for Corelight. “This is not simply about detections, this is about a layering of data and insights that our customers need to access in order to make critical security decisions.”

Corelight’s ETC expands defenders’ incident response, threat hunting and forensics capabilities in encrypted environments by generating insights around SSH and TLS traffic that indicate potential security risk. The collection contains numerous packages developed by Corelight’s Research Team as well as curated packages from the Zeek community.

This Collection builds on Zeek’s already extensive capabilities for analyzing encrypted traffic, such as certificate metadata, JA3/HASSH fingerprints, and dedicated SSL/x.509 logs. Features, and the relevant MITRE ATT&CK category each covers, include:

  • SSH client brute force detection – supports threat hunting for Access techniques by revealing when a client makes excessive authentication attempts.
  • SSH authentication bypass detection – reveals when a client and server switch to a non-SSH protocol, a tactic used in Access attempts.
  • SSH client keystroke detection – reveals an interactive session where a client sends user-driven keystrokes to the server, which may be an indication of Command and Control activity.
  • SSH client file activity detection – reveals a file transfer occurring during the session where the client sent a sequence of bytes to the server or vice versa, which could indicate either Staging or Exfiltration activity.
  • SSH scan detection – accelerates threat hunting for Access techniques by inferring scanning activity based on how often a single service is scanned.
  • SSL certificate monitoring – extend’s Zeek’s existing certificate monitoring capabilities to help defenders limit attack surface, find vulnerabilities, and enforce internal policy.
  • Encryption detection – accelerate threat hunting by finding unencrypted traffic over commonly encrypted ports/protocols as well as custom / pre-negotiated sessions.

“The Corelight Encrypted Traffic Collection originated through deep customer partnerships that have allowed us access to real world network environments,” said Dr. Vern Paxson, creator of Zeek and co-founder of Corelight. “With this data, we can now offer a collection of insights that will help to better inform our customers on the right steps to take in their threat hunting and in their security incident response.”

The Encrypted Traffic Collection is available in the Corelight version 18 update, which begins rolling out to customers today. This new version also includes a new sensor management interface (UI) that incorporates new features that make internal compliance reviews easier and accelerate troubleshooting. The new UI mirrors the interface used in the Corelight Fleet Manager product for multi-sensor environments, making retraining unnecessary as a customer’s sensor footprint grows.

The company also released a new version of Corelight App for Splunk to better facilitate network-based threat hunting in Splunk. The free app analyzes Corelight logs to surface leading indicators of security risk across dozens of protocols such as DNS and SSL and aggregate Zeek notices and intel hits in a central dashboard.

Today’s launch also extends Corelight Cloud Sensor support to Microsoft Azure environments. Similar to the Corelight Cloud Sensor for AWS launched earlier this year, Corelight’s new sensor transforms Microsoft Azure cloud traffic into high-fidelity data for incident response, intrusion detection, forensics and more. It parses dozens of network protocols and generates a much richer, more actionable picture of Azure traffic than low-fidelity flow logs, accelerating security analysts’ ability to make sense of traffic and respond to attacks.

“Whether with Microsoft’s upcoming Azure Virtual network TAP or agent-based packet brokers, the Corelight Cloud Sensor for Microsoft Azure brings a common data format across all customer environments, whether they are operating with on-prem, virtual or cloud networks,” said Dye. “This enables security teams to use a consistent downstream analytics stack and find attackers regardless of environment.”

Availability
Corelight software version 18 is now available to customers. More information on each of today’s enhancements can be found in the product section of Corelight’s website.

The Corelight Research Team has issued a blog post with more details on the technical benefits of the Corelight Encrypted Traffic Collection.

The new Corelight for Splunk app is now available to customers via Splunkbase. More information about the new Corelight for Splunk App is available on the Corelight blog.

About Corelight
Corelight delivers the most powerful network visibility solutions for information security professionals, helping them understand network traffic and defend their organizations more effectively. Corelight solutions are built on the Zeek framework (formerly known as “Bro”), the powerful and widely-used open source network analysis framework that generates actionable, real-time data for thousands of security teams worldwide. Zeek data has become the ‘gold standard’ for incident response, threat hunting, and forensics in large enterprises and government agencies worldwide. Corelight makes a family of network sensors — both physical and virtual, at every scale — that take the pain out of deploying Zeek by adding integrations and capabilities large organizations need. The Zeek project was initially developed at Lawrence Berkeley National Laboratory (LBNL), and has been supported by the US Department of Energy (DOE), the National Science Foundation (NSF), and the International Computer Science Institute (ICSI). Corelight is based in San Francisco, Calif. For more information, visit Corelight.com or follow @corelight_inc.