Name: Suricata + Zeek: How it Works
Start: 2025-03-21T18:43:00Z
End: 2025-03-21T18:43:02.000Z
Location: BrightTALK
Rating: 0

Corelight transforms network and cloud activity into evidence so that data-first defenders can stay ahead of ever-changing attacks. Delivered by our open NDR platform, Corelight’s comprehensive, correlated evidence gives you unparalleled visibility into your network. This evidence allows you to unlock new analytics, investigate faster, hunt like an expert, and even disrupt future attacks. 

Our on-prem and cloud sensors go anywhere to capture structured, industry-standard telemetry and insights that work with the tools and processes you already use. Corelight’s global customers include Fortune 500 companies, major government agencies, and research universities.

Carrefour, one of the world's top ten retailers, uses Corelight to enhance its cybersecurity. Learn how they have extended their visibility and detected cyberattacks.

See How Carrefour Uses Corelight

What is network detection and response, how is it fundamental to #cybersecurity, and why should #investors and #security leaders be investing in the #NDR space? Watch as Corelight CEO Brian Dye shares the answers to these questions and more in a new interview with NYSE.

In the video you’ll hear Brian talk about how:

1. A Corelight customer used our Open NDR Platform to confidently turn down a #ransomware demand.

2. Our technology is fueled by the breadth and depth of network data that can only come from an #opensource community of elite defenders.

3. We’re the first to integrate Open AI into our NDR technology to accelerate investigation workflows through contextual network evidence.

Corelight CEO, Brian Dye talks to NYSE's Trinity Chavez on 'The Cyber Series'

Watch today on Outmaneuver attackers with Corelight and Splunk.

Outmaneuver attackers with Corelight + Splunk

See how Corelight's Open NDR Platform accelerates analyst workflow with GPT explained alerts and next steps for investigation. Learn more about Corelight's Open NDR Platform: https://corelight.com/products/open-ndr/

How Corelight Uses AI to Empower SOC Teams

Defenders face numerous challenges in their complex, ever-expanding environments. Good data or network truth shouldn't be one of them. As Corelight is the standard in the NDR market, we will explore how to pivot from NDR to several EDR tools. The demo will showcase popular tools and give analyst workflow examples and use cases.

SOC Visibility Triad, Why You Need NDR Alongside EDR

Enhance utility of evidence 
Identify malicious files from network activity and derive the right context without increasing false positives

Improve detection coverage 
Analyze large volumes of files for detecting threats that can be missed by EDR

Drive tool consolidation
Consolidate tools and eliminate the need for file extraction, storage and custom scripts

Open NDR static file analysis powered by YARA

The landscape of network security is rapidly evolving. Traditional network security, once centered around securing the network itself, is being redefined in the cloud era. This webinar is designed for architects seeking to adapt their strategies to the unique challenges presented by multi-cloud environments.

Watch this webinar to hear from Corelight and ISC2 speakers who will explore:

-The limitations of existing security approaches
- Key considerations for modern network security beyond preventive controls, including enhanced visibility, robust threat detection & elastic scaling
- How Open Network Detection and Response (NDR) can enhance multi-cloud security

Re-think Network Security with Cloud Transformation

SOC teams already know how challenging it is to monitor environments for possible compromises, vulnerabilities and the many other threats to an organisation.
 
Trying to keep on top of the new threats that are being seen in the wild and knowing what to search for and when is pretty much impossible. That's where Threat Intelligence can make a significant positive impact.
 
Firstly having a third party that is actively searching for new threats, ensuring that organisations are proactively protected, then providing the necessary information to add to tools to ensure these threats can be detected.
 
Join Matt Ellison at Corelight as we look at how our evidence based threat hunting can be significantly enhanced with the addition of threat intelligence feeds, both open source and commercial and how this can elevate your ability to detect even the newest threats.

Using Threat Intelligence to enhance detection correlation

Corelight announced a new capability: Corelight adds analysis of network extracted files - powered by YARA to its sensors.
 
With this new SKU, security teams will be able to use YARA rules for pattern-based detection to quickly analyze large amounts of files to identify and classify known and new malware, proactive threat hunting via IoCs.

You will discover how together, the Corelight NDR Platform and YARA can:

- Enhance utility of evidence
- Improve visibility and detection coverage
- Drive tool consolidation

Corelight adds analysis of network extracted files - powered by YARA to its sensors

Join Youssef Agharmine, the technical security expert from Corelight for a live webinar focusing on how to extend visibility and identify attacks during the transition to cloud infrastructure.

What you’ll learn:

• Expand visibility - how analytics fill visibility gaps that cloud native, CSPM, and CWPP tools leave behind.
• Detect and Respond - precisely identify attacks that are often disguised as legitimate traffic or tunnel through encrypted traffic. Identify and disrupt attacks such as data exfiltration, service enumeration, and more.
• Drive efficiency - Consolidate network security monitoring (NSM), IDS, and PCAP functionality. Uniform network telemetry across hybrid and multi-cloud environments reduces tool sprawl and improves operational efficiency.
 
This will be a technical presentation—we’ll be demoing Corelight in the cloud!

How NDR contributes to visibility and security in the cloud

Artificial intelligence (AI) and machine learning (ML) are increasingly seen as powerful tools to counter cyberattacks. However, opinions among cybersecurity experts vary, and it is crucial to understand the potential limitations and benefits of AI/ML in security operations.

Join executives from Google Cloud and Corelight in this joint on-demand webinar as we delve into the world of AI/ML for security operations. We will enable you to cut through the hype and address the following key questions:

- What is AI/ML for security?
- What specific problems can AI/ML solve for security operations?
- What challenges should teams be aware of?
- How will AI/ML shape the future of cybersecurity on both attack and protection fronts?

You will gain valuable insights into how AI/ML can help address critical industry challenges, such as the analyst shortage and skill gaps. We will explore how AI/ML can reduce the time to detect and respond to threats, ultimately making the SOC more efficient and effective.

Demystifying AI/ML for Security Operations

Corelight drives broad coverage across the MITRE ATT&CK TTPs using an approach focused on visibility and explainable, evidence-based analytics. The foundation of this approach is Zeek® network telemetry, data that captures activity across a broad set of network protocols and fuels advanced

In this on-demand webinar you will learn how to: 

1. Find pass the hash attacks where attackers authenticate without the user's cleartext password
2. Spot attempts to gain unauthorized interactive access to workstations and servers via RDP
3. Monitor FTP for potential transferers of malicious toolkits into your environment

How to find lateral movement with Zeek and MITRE ATT&CK

Many organizations want to start threat hunting but struggle with knowing where to begin, how to measure success, and how to scale an effective program.

This presentation draws on the experience of elite hunters and teams around the world and will discuss an actionable threat hunting maturity model and help you prepare for each step of the journey with specific guidance, concrete examples, and sample threat hunts.

Benchmarking Threat Hunt Readiness

Analysts are well aware of the need for an evidence based toolset. Being able to investigate alerts and find the necessary data to inform the resolution and remediation is key. But despite that, many SOCs are still struggling to work through the ever increasing volumes of alerts and detections. Even knowing that some detections will have false positive rates in the high 90%, they still remain - just in case.

We will be discussing how organisations can start to pivot from a reactive, alert driven approach, progressively replacing those ineffective detections with evidence based threat hunts, increasing analyst efficiency and improving awareness as you go.

When I grow up I want to be a Threat Hunter

Threat hunters need evidence to find adversaries. Networks offer a broad and reliable source of evidence, helping hunters make sense of movement across their environment via an immutable record of activity. Traffic, unlike endpoints, cannot lie. But the rise of encryption complicates this picture, especially where decryption isn't an optimal or possible solution.

Fortunately, the open-source Zeek Network Security Monitor (formerly Bro) can provide visibility into actionable metadata on encrypted streams for threat hunters without breaking and inspecting payloads. With Zeek, analysts can see the use of self-signed certificates, fingerprint SSH and SSL traffic, identify encryption on non-standard ports, and more. And Corelight's commercial solutions extend Zeek's capabilities, especially around SSH traffic, giving analysts new insight into activities such as file transfer or keystrokes over SSH.

Watch this technical webcast to hear from Matt Ellison at Corelight, about his experience using Zeek and Corelight to threat hunt and learn how you can apply their insights in your environment, whether traffic is encrypted, or not.

How To Threat Hunt in Encrypted Network Traffic

What happens on the endpoint doesn’t stay on the endpoint. To effectively defend against advanced threats and lateral movement, you need visibility beyond individual devices. By using Cribl’s enrichment and routing capabilities to combine Corelight’s comprehensive network telemetry with your EDR telemetry, you can gain comprehensive visibility of what happens on and in between all of the devices on your network. Join our webinar to learn how the combined solution expands visibility, bolsters detection, and accelerates investigations while maintaining data fidelity. 

Attendees will learn how to:

• Consolidate IDS, PCAP, and other network sources to provide a single comprehensive source of network telemetry
• Correlate, enrich, and route both endpoint (EDR) and  network (NDR) data into your SIEM
• Enable real-time threat detection and seamless ingestion, normalization, and enrichment of security data into any SIEM

Unify endpoint and network telemetry for any SIEM

Building on our native integration with Splunk, the new Corelight App for Splunk can help overworked SOC analysts significantly reduce dwell time, mean time to respond (MTTR), and operational costs. By providing intuitive and insightful dashboards with direct links to related details, the “Splunk App” allows security teams to quickly understand implications of hybrid, multicloud network activity, as well as streamline event investigations and upscale their SOC capabilities.

Watch to see a demo and hear from current and former Splunkers and SIEM experts how the new Splunk App can simplify your SOC workflows and investigations.

Boost SOC Productivity with Corelight and Splunk

Put defenders on top with alerts integrated into evidence.
Corelight delivers the foundation next-level incident response by integrating the open source powerhouses Zeek and Suricata. With Suricata alerts embedded directly into Zeek logs, analysts can see linked activity across a host of vital protocols including as DNS and HTTP. This helps them make faster decisions, and see patterns of activity across your whole network.

Both Suricata and Zeek let you create solutions that fit your environment through rapid customization. You can load any open source ruleset you want, then feed the alerts into scripts you’ve written for event handling. This leads to real security impact, like when it allowed our community to respond to Curveball in just one day.

Suricata + Zeek: How it Works

Network Security

Network Detection

Security Analysis

Threat Hunting

Threat Detection

Incident Response

Cybersecurity

Security Automation

Security Operations Center

SecOps

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Suricata + Zeek: How it Works

Presented by

About this talk

More from this channel