First Look: Corelight Sensor | DigitalMunition
https://www.ispeech.org/text.to.speech
Product Name: Corelight Sensor
Company Name: Corelight
Pricing: $4,685/Gbps
What it does: Transforms network traffic activity into context-rich, actionable detail for security monitoring teams.
What we liked: Makes quick sense of traffic so incidents can be resolved faster, and threat hunting is done more efficiently.
The Bottom Line: Corelight sensors are a critical tool for any company looking to effectively monitor network traffic.
One of the biggest security challenges companies face is organizing
mountains of network data in a format that makes it actionable for security
teams; the large volumes and unstructured format also makes it difficult for
SIEMs to interpret.
The interesting part about malicious players is that they
inevitably have to traverse the network to access key data resources. With
security teams always searching for that “needle” in a stack of “needles,” unstructured
and difficult to interpret network data has a dramatic impact on the risk
profile of any organization.
Having messy, incomplete data has been proven to directly
raise a company’s business risk. When companies fall behind on the organization
of data they make themselves open to attacks that go undetected or take longer
to resolve, causing more damage. Structuring network data in a manner that adds
context and makes it easier for SIEM technologies to consume eliminates the
potential for data overload. Having
security teams focus on relevant data reduces response time and ultimately
reduces risk. Often times the data people are working with is not necessarily
what they need, leaving many companies on their own in finding a way to pull
from a variety of sources to stitch together in one quick overview. Being able
to distinguish the different types of data and to flush out too much of the
wrong data to allow companies to focus on having enough security-relevant data
is an important aspect for any business.
Corelight has addressed this issue with their array of
sensor technology that was designed and purpose-built for security. Corelight’s
sensors have been specifically built to transform all network traffic into rich
data, reassemble and extract important network files, and to monitor/detect
threats with custom logic. By teaming up with the open source solution Zeek,
Corelight sensors leverage open source. Zeek acts as the processing engine for
the data (originally called “Bro”), while Corelight is a commercialization of
that technology in a sensor package, the combination has resulted in an
open-source network security monitoring tool is used by thousands of
organizations. The Zeek Network Security monitor transforms raw network traffic
into comprehensive, actionable network logs that are organized by protocol. This
technology allows the modern security stack to run with faster incident
response, larger scope for threat hunting, and increased detection accuracy. Past
customers of Corelight have indicated a 20 times faster response rate to
incidents.
The Corelight product takes the open source to a whole new
level of visualization as data can be viewed in a single source (sensor) or
fleet view. Once the box is configured it will continue to collect data, this
allows for constant monitoring of information. The Corelight product has been
shown to be a true analyst tool for adding context to the many forms of data
that traverse the typical network.
Corelight sensors simplify Zeek deployment and expand its
performance and capabilities. The connections available for the Corelight
sensors are 1/10/40G interfaces for monitoring on hardware appliances. One of
the key aspects to their approach is the Fleet manager dashboard paired with
their data collection sensors. The fleet manager has three categories for
sensor overview of the fleet: Needs attention, Near capacity, and Healthy.
These sensors are categorized based on the policies set in place by the
customer and then applying those to configure sensors and data transmission.
The Corelight sensors can generate 40+ types of data enriched logs out of the
box, the setup is straightforward and requires IP addresses and data source
selections. Out of the box integrations include Splunk, Kafka, Syslog, Elastic
and more, this allows for the use of Syslog as a common framework for sending
data to other SIEMs like QRadar and LogRhythm.
This solution is based on an annual subscription with the
hardware purchased separately. The hardware is priced per sensor, price varies
depending on the size. On virtual and cloud offerings the pricing is based on
capacity (average daily utilization). The Corelight sensors can be stacked to
increase capacity and utilize the packet broker to distribute traffic among
several appliances to support very large networks. The company is very
committed to customer support which is maintained at very high levels and can include
remote sensor monitoring if clients are open to having it done, this is
included at no additional charge.
Gloss