Network Security

First Look: Corelight Sensor

Product Name: Corelight Sensor
Company Name: Corelight
Starts at $19,000 per year for physical appliances, and lower for VM or cloud deployments which are priced per Gbps.

What it does: Transforms network traffic activity into context-rich, actionable detail for security monitoring teams.
What we liked: Makes quick sense of traffic so incidents can be resolved faster, and threat hunting is done more efficiently.
The Bottom Line: Corelight sensors are a critical tool for any company looking to effectively monitor network traffic.

One of the biggest security challenges companies face is organizing mountains of network data in a format that makes it actionable for security teams; the large volumes and unstructured format also makes it difficult for SIEMs to interpret.   

The interesting part about malicious players is that they inevitably have to traverse the network to access key data resources. With security teams always searching for that “needle” in a stack of “needles,” unstructured and difficult to interpret network data has a dramatic impact on the risk profile of any organization.

Having messy, incomplete data has been proven to directly raise a company’s business risk. When companies fall behind on the organization of data they make themselves open to attacks that go undetected or take longer to resolve, causing more damage. Structuring network data in a manner that adds context and makes it easier for SIEM technologies to consume eliminates the potential for data overload.  Having security teams focus on relevant data reduces response time and ultimately reduces risk. Often times the data people are working with is not necessarily what they need, leaving many companies on their own in finding a way to pull from a variety of sources to stitch together in one quick overview. Being able to distinguish the different types of data and to flush out too much of the wrong data to allow companies to focus on having enough security-relevant data is an important aspect for any business.

Corelight has addressed this issue with their array of sensor technology that was designed and purpose-built for security. Corelight’s sensors have been specifically built to transform all network traffic into rich data, reassemble and extract important network files, and to monitor/detect threats with custom logic. By teaming up with the open source solution Zeek, Corelight sensors leverage open source. Zeek acts as the processing engine for the data (originally called “Bro”), while Corelight is a commercialization of that technology in a sensor package, the combination has resulted in an open-source network security monitoring tool is used by thousands of organizations. The Zeek Network Security monitor transforms raw network traffic into comprehensive, actionable network logs that are organized by protocol. This technology allows the modern security stack to run with faster incident response, larger scope for threat hunting, and increased detection accuracy. Past customers of Corelight have indicated a 20 times faster response rate to incidents.

The Corelight product takes open source Zeek software to a whole new level by improving throughput, adding a modern GUI and providing API interfaces. Once the box is configured it will continue to collect data, this allows for constant monitoring of information. The Corelight product has been shown to be a true analyst tool for adding context to the many forms of data that traverse the typical network.

Corelight sensors simplify Zeek deployment and expand its performance and capabilities. The connections available for the Corelight sensors are 1/10/40G interfaces for monitoring on hardware appliances. One of the key aspects to their approach is the Fleet manager dashboard paired with their data collection sensors. The fleet manager has three categories for sensor overview of the fleet: Needs attention, Near capacity, and Healthy. These sensors are categorized based on the policies set in place by the customer and then applying those to configure sensors and data transmission. The Corelight sensors can generate 40+ types of data enriched logs out of the box, the setup is straightforward and requires IP addresses and data source selections. Out of the box integrations include Splunk, Kafka, Syslog, Elastic and more, this allows for the use of Syslog as a common framework for sending data to other SIEMs like QRadar and LogRhythm.

This solution is based on an annual subscription with the hardware purchased separately. The hardware is priced per sensor, price varies depending on the size. On virtual and cloud offerings the pricing is based on capacity (average daily utilization). The Corelight sensors can be stacked to increase capacity and utilize the packet broker to distribute traffic among several appliances to support very large networks. The company is very committed to customer support which is maintained at very high levels and can include remote sensor monitoring if clients are open to having it done, this is included at no additional charge.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.