An Unbroken Chain of Security Monitoring

I just stepped off the evening Acela from Washington to New York, happy to have escaped FS-ISAC with my wits somewhat intact. My mind is not on financial security, however, but rather on a movie script I’ve just read during my ride that was written by a super-geek for super-geeks. The script is one the author claims that Paramount was too stupid to buy – and I agree. I found the narrative awesome, but then I’m a total sucker for forward time travel.

Vern Paxson is its author, and his unpurchased 1993 piece was entitled Unbroken Chain. I guess I should mention that Paxson also happens to serve as Professor in the Computer Science Department at UC Berkeley where he leads the Networking and Security Group. He also serves as the Co-Founder and Chief Scientist for San Francisco-based Corelight, which grew out of the open source Bro Project – now known as Zeek - which Dr. Paxson also created in 1995.

Before we get into the specifics of Corelight, I should mention that the executive team at Corelight is a heady group. In addition to Paxson, Richard Bejtlich, author of several good books on security and former Chief Security Strategist at FireEye serves on the team, as do Greg Bell, Seth Hall, and other major contributors to our community. This is a powerful team, and obviously the only one I’ve ever encountered with a movie script under its belt.

What Corelight does involves turning network traffic into security visibility. Customers drop Corelight sensors into target environments, such as Amazon Virtual Private Cloud (VPC) EC2 resources, to collect comprehensive logs and extracted files. The telemetry is then rendered to a management console, and provided to your existing enterprise SIEM, file analysis tool, or other analytic platform for processing, review, and response.

“Our solution grew from the Bro project, which is now known as Zeek,” explained Alan Saldich, who heads marketing for Corelight. “We extract data from network traffic using sensors built on Zeek. The result is a commercial platform that allows our users to create high levels of security visibility for their network. Obviously, this visibility enables detection of indicators which leads to actionable insights.”

As you might expect, my discussion with Saldich quickly turned to the topic of encryption. Anyone working in this field is well-aware of the challenges that are heightening for network monitoring tools to maintain a meaningful level of visibility in the face of increased cryptographic use. Zero trust security, in particular, is driving traffic encryption without regard for any perimeter-based protection. This is good for security, but bad for monitoring.

Saldich pointed, however, to the new Encrypted Traffic Collection capability being developed at Corelight. Its purpose is to support interpretation of encrypted traffic without the need to request decryption keys from the network owner. It includes a clever fingerprinting method for SSL and SSH, as well as the use of heuristics such as certificate expirations to make sense of cipher text ingested into the Corelight sensor.

Specific Corelight products include the Fleet Manager, which is the top-level dashboard for configuration and management, as well as the collection of Corelight Sensors, which are preloaded with dozens of Zeek packages for detection and analysis. Sensors are available for Azure and AWS, and the form factor ranges from virtual sensors to hardware appliances (which Saldich claims remain quite popular).

I asked Saldich to take me through some methodology-driven use-cases and he offered a rich set of examples. One involved use of a specification called Community ID which supports threat hunters correlating and integrating common hash values for Zeek, Corelight, Suricata, Moloch, and Elastic. Investigators can easily move between the output of these tools to draw conclusions about an on-going event.

With such a deep connection to the Zeek community, Corelight obviously enjoys a customer base that benefits from such intimacy with the popular open-source project. And with one of the more technical management teams, Corelight will appeal to threat hunters and other technically-minded teams who demand deep understanding of network analysis standards, tools, and protocols from their vendors.

From an analyst perspective, it must be acknowledged that Corelight is swimming in a tough pool, simply because modern cloud architectures in a zero trust environment drive emphasis to the virtual workload rather than the encrypted connections over diverse, hybrid network connections. So, continued growth for Corelight will be anything but a simple layup – and a lot hinges on the success of their Encrypted Traffic Collection.

But do not bet against this management team. With major scientists such as Vern Paxson at the helm, it seems likely that they will continue to find ways to delight the Zeek community with commercial tools to complement their open-source deployment. And, of course, there is another possibility: With networking companies like AT&T now in the movie business, maybe Corelight shouldn’t give up on getting their scripts bought and produced into films.

After you’ve taken the time to learn more about Corelight, I hope you will share with all of us your learnings. I hope to hear from you.