Corelight announces open NDR platform by integrating Zeek and Suricata

Corelight announced its first major steps toward offering an open network detection and response (NDR) platform that will bring a proven open-source design pattern into one unified product for customers.

Corelight has integrated two powerful open-source projects, Zeek and Suricata, into a seamless solution that enables rapid pivoting from Suricata alerts into the rich network metadata extracted by Zeek.

Suricata is an open-source network threat detection engine already supported by a wide variety of ruleset providers. The integration will first be available as an additional license on Corelight’s highest capacity sensor, the AP 3000.

“The power of deep integration between Zeek and Suricata is significant. Incident responders often deal with hundreds of Suricata alerts, but making sense of them quickly is challenging,” said Brian Dye, chief product officer at Corelight.

“Zeek brings rich network evidence together with Suricata’s extensive rules and signature language, making it possible for security teams to rapidly test their hunting hypotheses and turn discoveries into automated threat detections.”

Corelight’s new integrated Suricata log includes the Unique ID (UID) familiar to Zeek users, which means an analyst can pivot directly from a Suricata alert directly into any of the Zeek logs to leverage powerful evidence about email, web traffic, SSL, DHCP, DNS and dozens of other data types inherent to Zeek.

“To achieve our vision of extensible data and community engagement, we rely on open-source software, with enterprise-grade features added for easy deployment, security, integration, performance and extensibility,” said Dye. “Our integration of Zeek with Suricata is the natural progression toward a truly open NDR platform for customers.

“We are excited to support and participate in the vibrant Suricata community going forward, in addition to our historical community of Zeek developers and users,” added Dye.

“The Open Information Security Foundation is excited to welcome Corelight into the Consortium. Corelight and Zeek are a long time and respected members of the Suricata community, and we are thrilled to be part of this exciting new solution in the network defender’s arsenal,” said Dr. Kelley Misata, president and executive director of OISF.

Seamless integration of Suricata into the Corelight AP 3000 Sensor makes it possible for sophisticated security teams to rely on a single data source for unlocking advanced analysis capabilities in an easy to deploy form factor.

Beyond the functional integration to accelerate incident response, Corelight has engineered Zeek and Suricata to use a shared CPU architecture to ensure that sensor performance scales with traffic growth.

Also included in today’s launch are enhancements to the Corelight Encrypted Traffic Collection (ETC). The Corelight ETC is designed to expand defenders’ incident response, threat hunting and forensics capabilities in encrypted environments by generating insights around SSH and TLS traffic that indicate potential security risk.

New insights developed by Corelight’s research team include:

• SSH agent forwarding detection: See when SSH agent forwarding occurs between clients and servers, which may indicate lateral movement where adversaries have compromised SSH credentials.
• SSH MFA detection: See when SSH connections use multifactor authentication (MFA), which can help analysts rule out other explanations for anomalies in SSH connections. This detection can also help teams monitor external SSH servers for MFA compliance.
• Non-interactive SSH detection: Reveal when SSH connections do not request an interactive terminal and instead use SSH as a port forwarding tunnel, which may indicate malicious SSH tunneling.
• SSH reverse tunnel detection: Reveal when a client connects to an SSH server and provides the server with an interactive terminal, which may indicate malicious SSH tunneling.
• DNS over HTTPs (DoH) detection: Reveal when DNS queries are made to known DNS over HTTPS (DoH) providers to provide insight into DNS traffic that would otherwise be hidden.

“Most network traffic – commonly 60-70 percent – is encrypted and decryption is often prohibited for policy or privacy reasons, yet defenders still need insight into malicious activity across their network,” said Dye. “The new capabilities in Corelight’s Encrypted Traffic Collection reveal a suite of behaviors that illuminate attackers’ footsteps across the network.”

Suricata integration in the Corelight AP 3000 Sensor as well as enhancements to the Encrypted Traffic Collection are available in the Corelight Version 19 update.