Name: Suricata + Zeek: How it Works
Start: 2025-03-21T18:43:00Z
End: 2025-03-21T18:43:02.000Z
Location: BrightTALK

Corelight transforms network and cloud activity into evidence so that data-first defenders can stay ahead of ever-changing attacks. Delivered by our open NDR platform, Corelight’s comprehensive, correlated evidence gives you unparalleled visibility into your network. This evidence allows you to unlock new analytics, investigate faster, hunt like an expert, and even disrupt future attacks. 

Our on-prem and cloud sensors go anywhere to capture structured, industry-standard telemetry and insights that work with the tools and processes you already use. Corelight’s global customers include Fortune 500 companies, major government agencies, and research universities.

Avec la généralisation du chiffrement, une part croissante du trafic réseau échappe à la visibilité des équipes de sécurité. Comment maintenir une détection efficace sans recourir à un déchiffrement coûteux et complexe ?

Dans ce webinaire, nous explorerons comment les solutions Network Detection & Response (NDR) permettent de restaurer la visibilité sur le trafic chiffré tout en préservant la confidentialité, la performance et le budget.

Au programme :

• Les défis actuels liés au chiffrement et à la perte de visibilité réseau.

• Des cas d’usage concrets issus du terrain.

• Une approche pragmatique pour renforcer la détection et la prise de décision sans dégrader les performances ni multiplier les coûts.

Découvrir comment allier efficacité, sécurité et maîtrise des dépenses dans un environnement où le trafic chiffré est devenu la norme.

Trafic Chiffré, Visibilité Restaurée : Renforcer la Détection sans Déchiffrer ni Exploser les Coûts

Security operations centres (SOCs) face growing pressure to keep up with evolving threats and the explosion of data—especially network data, which is critical for both human analysts and AI-driven detection, since AI relies on rich, high-quality data to identify threats. But as data volumes grow, so do costs and complexity, forcing tough choices about what to collect, store, and analyse.

In this webinar, experts from Corelight and Cribl will show how modern SOCs can maximise the value of every byte—without breaking the bank. Learn how to tier data across SIEMs, data lakes, and object storage for cost efficiency, empower analysts with search-in-place and expanded datasets, and operationalise both human- and AI-generated context for faster, more effective threat hunting.

Key Takeaways:

- Discover how network evidence expands threat detection to cover advanced adversary techniques, including EDR evasion, and accelerates investigations.
- Learn strategies to cost-effectively manage and tier security data across multiple storage solutions.
- See how Corelight and Cribl enable investigations and provide rich datasets that machine learning platforms already understand, accelerating AI-driven security workflows.
- Explore future-ready SOC architectures that integrate seamlessly with your existing SIEM, AI/ML, and detection tools.

How to Maximise Data Value in the AI Driven SOC

Dans cette présentation, nous aborderons certaines fonctionnalités de la solution NDR de Corelight qui non seulement sont uniques sur le marché, mais qui offrent également aux utilisateurs la possibilité de regrouper plusieurs outils en une seule solution, tout en réduisant les coûts, aussi bien en dépenses d’investissement qu’en dépenses opérationnelles.

Nous expliquerons comment la fonctionnalité YARA de Corelight permet aux clients d’effectuer une analyse en temps réel par signature des fichiers transmis en clair. Non seulement le fichier est capturé, stocké et analysé, mais des alertes peuvent aussi être configurées pour fournir le niveau de détail et de visibilité nécessaire dans le cadre de vos activités de threat hunting et de votre posture de sécurité globale.

Nous présenterons également comment SMART PCAP permet aux clients de Corelight de capturer uniquement les PCAP liés aux données qui les intéressent, avec des liens vers les fichiers capturés directement intégrés dans l’alerte correspondante. Grâce à ce lien direct en un clic, l’accès aux PCAP est instantané, évitant des heures de recherche fastidieuse dans des arborescences de fichiers.

Enfin, nous partagerons le cas d’un client de Corelight qui a refusé une demande de rançon de 10 millions de dollars en s’appuyant sur Corelight pour démontrer que les attaquants n’avaient en réalité pas accédé aux données qu’ils prétendaient avoir compromises.

NDR : des fonctionnalités méconnues… mais indispensables !

Explore how we leverage our pillar technologies—namely Zeek, Suricata, and AI—to monitor and respond to threats against the BlackHat conference.

The BlackHat NOC is a collaborative effort between some of the industry's best vendors and products, with Corelight focusing on Network Detection and Response.

After nearly two years on the global conference circuit, I am excited to share insights and lessons learned from this unique and complex network, including how we leverage LLMs to improve alert triage in offensive security trainings. We’ll conclude with a few anecdotes from our investigations, highlighting our approach to threat detection in this unique environment.

Defending Black Hat: How Corelight leverages Zeek, Suricata, and AI at the BlackHat NOC

Join Corelight and GigaOm to discuss key trends shaping the future of NDR.

In today's complex threat landscape, traditional security measures are no longer enough. NDR provides the crucial insights you need to detect, investigate, and respond to advanced threats that bypass other defenses. This webinar will provide actionable strategies and a deep dive into how Corelight’s Open NDR can help you close cases faster, with more accuracy and greater efficiency.

What you’ll learn:

In this webinar, we will be joined by GigaOm Field CTO Chris Ray to talk about current requirements and future trends that buyers need to consider when choosing an NDR solution. Chris will be joined by Corelight’s Ashish Malpani for a deeper dive into Corelight OpenNDR with a focus on capabilities such as:

• Deep packet inspection: Deep packet inspection (DPI) allows NDR solutions to analyze both packet headers and payloads, providing granular visibility into network traffic. This capability is crucial for detecting sophisticated threats hidden within seemingly benign traffic.

• Encrypted traffic analysis: Encrypted traffic analysis allows NDR solutions to detect threats within encrypted network traffic without decrypting it. This capability is essential for maintaining data privacy while still identifying potential security risks in an increasingly encrypted network landscape.

• Historical forensics: Historical forensics capabilities enable NDR solutions to store and analyze historical network data for post-incident investigation and threat hunting. This feature is crucial for understanding the full scope of security incidents and identifying long-term patterns of malicious activity.

The discussion will also take a deeper look at key purchase considerations and the use cases that NDR can address. This session will also be an opportunity for you to get your pressing questions answered by a GigaOm analyst and Corelight’s security specialists.

Illuminating NDR with the GigaOm Radar

In this presentation, we will cover some of the features and functions of Corelight's NDR that are not only unique to Corelight as an NDR solution, but offer users the opportunity to consolidate multiple tools into a single solution whilst also saving costs on both capital and operational expenditures.

We will talk about how Corelight's YARA functionality allows customers to perform realtime signature analysis of files transmitted in the clear. Not only is the file captured, stored and analysed, but alerts can be configured to provide the insight and detail that you require as part of tour threat hunting and general security posture.

We will also talk about how SMART PCAP allows Corelight's customers to move away from unwieldy full PCAP solutions that require huge costly storage solutions, that still only contain days or maybe even just hours of data. Instead, customers are able to capture PCAPs directly related to the data that is important to them, with links to the captured file directly embedded in the associated alert. With one click linking, viewing these PCAPs is instantaneous, avoiding the hours of searching through file structures to find the data you need.

Finally, we will talk about how one of Corelight's customers refused a $10m ransomware demand by using Corelight to prove that the attackers had not accessed the data they claimed to have.

Things You Didn't Know Your NDR Could Do!

Watch this insightful webinar where we explore the powerful integration between Corelight and Niagara Networks—two industry leaders committed to advancing network security and visibility. As cyber threats continue to evolve, organizations require robust solutions to effectively monitor, detect, and respond to malicious activities within their network environments.

In this session, we'll delve into how Corelight’s cutting-edge network detection and response solutions, powered by open-source Zeek, seamlessly integrate with Niagara Networks’ sophisticated network decryption platforms. This collaboration empowers enterprises to capture and analyze network traffic with unparalleled precision, ensuring enhanced threat detection and streamlined security operations.

Key topics covered will include:

- The architecture of Corelight's sensors and how they leverage Niagara Networks’ packet brokers for decryption.
- Strategies for deploying Corelight and Niagara solutions to maximize network visibility and security without compromising efficiency.
- Real-world case studies demonstrating the integration's impact on network security posture.

Whether you're looking to strengthen your organization's defenses or simply stay informed on the latest advancements in network security technology, this webinar offers valuable insights and practical guidance. Don't miss the opportunity to learn how this integration can transform your approach to network security.

Unlock the Secrets of Encrypted Traffic for Enhanced Security

Corelight Launches AI-Powered NDR SaaS Platform on AWS Middle East that ensures Data Residency, Sovereignty, and Compliance.

AI-Powered NDR SaaS Platform on AWS Middle East

Focus Enterprises - English subtitles

As adversaries escalate their focus on unmanaged, internet-exposed hosts to breach enterprise defenses, security teams face mounting pressure to detect and stop these threats before they escalate. Join experts from CrowdStrike and Corelight to explore how the powerful combination of endpoint detection and response (EDR) and network detection and response (NDR) creates a more resilient security posture.

Learn how CrowdStrike’s leading EDR platform pinpoints compromised endpoints while Corelight’s Open NDR delivers deep network visibility to detect lateral movement, command-and-control traffic, and evasive techniques that often bypass endpoint controls. Attendees will learn how our integrated solution across the CrowdStrike Falcon platform enables faster detection, more confident investigation, and decisive response to today’s most advanced intrusions.

Attackers Are Already Inside Your Network — Here’s How to Shut Them Down

On November 21, 2024, CISA posted a security advisory with lessons learned from a red team assessment of a critical infrastructure organization. In the security advisory, CISA cautioned that an over-reliance of EDR without combining network layer protections can leave an organization ill-equipped to prevent and detect malicious activity. More and more, organizations are realizing the need to shift from endpoint-centric solutions to XDR solutions that include network-focused strategies. This expert panel will examine why EDR is often insufficient and how NDR is gaining traction as a complementary solution. We'll discuss the necessity of a holistic threat detection that includes signatures, pattern matching with YARA, anomaly detection, and AI-augmented detection technologies.

Watch the webinar to discover how AI and ML are revolutionizing network defense, learn actionable steps for enhancing cyber resilience, and examine real-world scenarios, as we explore the future of network security.

Beyond EDR: Embracing the Network-Driven Cyber Defense

Rob Joyce, Former NSA Cybersecurity Director, joins Corelight's Brian Dye for a conversation on the evolving cyber threat landscape. They'll discuss AI's role in security, how nation-state actors target critical infrastructure, and strategies for defending against these threats. Gain insights on balancing innovation with security risks and actionable best practices for organizational resilience.

AI, Cybersecurity, Global Threats: A Discussion with Rob Joyce and Brian Dye

Is your organisation impacted by the new compliance regulations such as DORA (Digital Operational Resilience Act) or NIS2 (Network and Information Systems Directive)? Watch this webinar to learn how Corelight can help your organisation navigate and achieve compliance with these critical EU regulations.

Key Discussion Points:
- Understanding DORA & NIS2: An overview into the regulatory requirements and what they mean for your organisation.
- Corelight’s Role in Compliance: Discover how Corelight’s advanced network security monitoring, threat detection, and incident response capabilities can support compliance with DORA and NIS2.
- Enhancing Cyber Risk Management: Learn how Corelight can empower your team to detect, respond to, and mitigate cyber threats, ensuring your organisation is ready for any security challenges.

Achieving Compliance with DORA & NIS2 Regulations with Corelight

Watch ESG Principal Analyst John Grady and Corelight Field CTO Vincent Stoffer explain how security teams can use network detection and response (NDR) to combat EDR-evasive threats.

Why the right network data matters for detecting evasive threats

Corelight’s approach to operationalizing cyber threat intelligence involves integrating data from various existing security solutions and vendors within an organization to provide contextual information alongside raw data, such as IP addresses. By ingesting and synthesizing this enriched data, Corelight enhances the analyst's ability to quickly and accurately discern between benign activities, such as vulnerability scans, and potential threats. The goal is to empower analysts to leverage all available tools effectively, enabling them to make rapid decisions about incidents without the time-consuming task of manually correlating information from multiple sources.

Corelight’s approach to operationalizing cyber threat intelligence

Operationalizing cyber threat intelligence encompasses the collection, analysis, and integration of threat data into security operations. This video outlines the process, starting with the acquisition of intelligence from diverse sources—open-source intelligence (OSINT), commercial feeds, and internal data—and the importance of selecting sources that align with the organization's specific environment.

The analysis and tuning of this intelligence are essential to avoid overwhelming security teams with false positives and ensure resources are allocated efficiently.

The video also emphasizes the importance of configuring security tools and systems for optimal performance, including the selective use of behavioral IOCs like Zeek packages and the careful management of indicator databases to prevent resource overconsumption.

How to operationalize cyber threat intelligence

This video explains the immutable nature of network data and its role as the ground truth in cybersecurity. It explains how sensors strategically placed across network perimeters or within specific segments can identify anomalies and potential threats by leveraging cyber threat intelligence. This intelligence, which includes known malicious IPs, domains, and file hashes, equips sensors with real-time detection capabilities.

Furthermore, the automated integration of cyber threat intelligence feeds ensures sensors remain up-to-date amidst evolving cyber threats, enhancing their ability to discern genuine threats from false positives and enabling proactive security measures.

The video also highlights the importance of contextualizing alerts with additional information, such as vulnerabilities, operating system versions, and host names, to prioritize incident response effectively.

The advantage of network observation for cyber threat intelligence

In this video, we examine the three distinct types of Indicators of Compromise (IOCs) crucial for operationalizing cyber threat intelligence: 

Atomic indicators, such as IP addresses and domain names, offer static evidence that can be easily spotted within network traffic, both encrypted and unencrypted, allowing for quick identification and alerting based on known malicious signatures. 

Computed indicators take a more complex approach, involving calculated elements like JA3 fingerprints or file hashes that require enhanced sensor or SIEM capabilities for data assembly and analysis to flag potential threats. 

The most intricate, behavioral indicators, combine atomic or computed elements—or may not involve them at all—and are predicated on behavior patterns or Tactics, Techniques, and Procedures (TTPs), necessitating advanced tools like Zeek or Suricata to discern and alert on suspicious network activities.

The three network-based indicators of compromise (IOCs)

Put defenders on top with alerts integrated into evidence.
Corelight delivers the foundation next-level incident response by integrating the open source powerhouses Zeek and Suricata. With Suricata alerts embedded directly into Zeek logs, analysts can see linked activity across a host of vital protocols including as DNS and HTTP. This helps them make faster decisions, and see patterns of activity across your whole network.

Both Suricata and Zeek let you create solutions that fit your environment through rapid customization. You can load any open source ruleset you want, then feed the alerts into scripts you’ve written for event handling. This leads to real security impact, like when it allowed our community to respond to Curveball in just one day.

Suricata + Zeek: How it Works

Network Security

Network Detection

Security Analysis

Threat Hunting

Threat Detection

Incident Response

Cybersecurity

Security Automation

Security Operations Center

SecOps

The IT security community on BrightTALK is composed of more than 200,000 IT security professionals trading relevant information on software assurance, network security and mobile security. Join the conversation by watching on-demand and live information security webinars and asking questions of experts and industry leaders.

IT Security

As an IT professional, many of the problems you face are multifaceted, complex and don’t lend themselves to simple solutions. The information technology community features useful and free information technology resources. Join to browse thousands of videos and webinars on ITIL best practices, IT security strategy and more presented by leading CTOs, CIOs and other technology experts.

Suricata + Zeek: How it Works

Presented by

About this talk

Corelight