WHY OPEN NDR? WHY CORELIGHT?
Network detection and response (NDR) platforms built on open source technologies like Zeek and Suricata offer customers greater flexibility and choice compared to closed platforms. Moreover, an open NDR platform can act as a security team force multiplier via the power of their global communities, such as the ability to accelerate responses to zero-day exploits via community-driven detection engineering.
Open-source: Enterprise solutions built on open-source software ensure that customers aren’t dependent on a single vendor for technical advances, and they’re also not beholden to the vendor financially. As a Corelight customer, customers will have more freedom and benefit directly from innovation from the vendor, from other vendors and even individual contributors to the open-source project. It’s a more powerful way to develop software.
Open architecture: The needs of customers will change over time, and your organization has specialized requirements.
The flexibility of an Open NDR platform is critical: You can modify it with third-party packages or with packages your own security team develops to meet your needs.
Why Corelight:
For over 20 years, the founders of Corelight have been building and improving open-source Zeek.
We have the only Open-NDR platform designed to understand and protect your network. Corelight users have open access to their metadata and the ability to customize and extend their capabilities — together with a vibrant community.
- Easy to deploy and operate. Familiar tools for the SOC and IR operations. All sensors can be managed from a single interface using Fleet manager.
Open core, giving our customers access to all the information they need to perform investigations. - Load 3rd-party signatures, Threat Intel and scripts from multiple sources such as Crowdstrike, the community and your own custom scripts.
- Scalable to 100Gbps on a single sensor, with successful deployments at over 1Tbps. No extra hardware needed for analysis or aggregation.
- Flexible, multiple choices of sensors, HW+SW appliances, Cloud Sensors (Azure, AWS, GCP) and Virtual sensors.
- Data export options enable simultaneous exporting to multiple destinations such as Elastic, Microsoft Defender, Corelight Investigator and soon Falcon XDR.
BETTER TOGETHER
Technology Alliances
Crowdstrike Integrations
Crowdstrike has invested financially in Corelight confirming the deep commitment to joint success.
Falcon XDR: Corelight most likely the only choice for NDR data into Falcon XDR at launch. (Likely before -23)
Crowdstrike Incident Response: Will utilize Corelight as the standard NDR tool for their IR engagements. Beneficial for customers with an existing Corelight installation. (Very fast TTV for IR) Likely to be announced before Nov, -22.
Falcon Spotlight will most likely integrate with Corelight before -23.
Microsoft Integrations
The Alliance and technical integrations enable Microsoft to augment their EDR focused security solutions with high quality NDR data.
Defender for IoT uses Corelight as the only 3 rd party data source for Microsoft’s IoT security solution. Corelight is recognized as the best possible data source, including Microsoft sensors, for customers using Defender for IoT.
Sentinel unlocks the full potential of the Corelight network evidence by providing a powerful platform to explore, detect, and hunt threats in a comprehensive set of network evidence.
Open Machine Learning and Analytics
Corelight’s ML models are open to make sure that an analyst sees not only that an alert has fired, but also the rationale behind it.
The traffic features are exposed as well as the mathematical model that led Corelight to determine that malicious traffic was seen.
Beyond Zeek (the gold standard for network logs) and Suricata (full featured IDS), Corelight also adds machine learning based detections to find threats that are not detectable using signatures or behavioral based approaches.
ML tools can be used on multiple layers depending on the data that is needed for the analysis. Some require the packet in memory and can only be done on-sensor, some need to aggregate flows on the NDR layer, some require correlation with other data sources in an XDR or SIEM tool. Corelight enables all these types of ML-based detections.
Tenable Integration
Corelight integrates with Tenable vulnerability scanners. Logs can be enriched already at the sensor for analysts to find the relevant IDS alerts.
Mandiant Integration
Corelight integrates with Mandiant as part of their Incident Response solution. We have a deep commercial and technical partnership.
CORELIGHT’S POSITION IN THE NDR MARKET
Gartner defines the NDR market as driven by four core use cases: Detection, Hunting, Forensics, and Response*.
The capabilities in each of the core use cases defined by Gartner can be further enhanced by integrating with a wide range of industry-leading technology partners and tools in the space of EDR, SIEM, SOAR, XDR, etc. The confidence in Corelight is continuously validated by some of the largest and most skilled organizations aligning with Corelight as partners and customers.
Covering all four use cases with an open/transparent, integrated, and flexible technology enables defensive teams to be more effective in their efforts to protect the organization.
Unifying a world-class IDS solution for detection with the gold standard network evidence needed to perform expert hunting, forensics and response means that Corelight covers all four core use cases with our Open NDR platform.
The evidence first strategy and an open core solution is the most effective way to bring confidence in detections and investigations by transparently proving the presence of malicious activity.
With our unique relationship to the open community, and the ability to write custom detections and parsers, you ensure the ability to rapidly respond to new and changing situations.
*The NDR market refers to two Gartner reports; “Emerging Trends: Top Use Cases for NDR” published 30 July 2021 and “Hype Cycle for Security Operations, 2022” published 5 July 2022.
