Tackling sophisticated threats with Corelight

Tackling sophisticated threats with Corelight

Implementing robust cybersecurity measures, leveraging advanced technologies and fostering continuous improvement are critical steps in achieving a robust cybersecurity posture. Vijit Nair, Sr. Product Director at Corelight, discusses how to protect digital assets in a connected world and uncovers the path to fortify defences. He highlights the primary ways Corelight is helping organisations enhance their cybersecurity posture and drive significant growth.

Vijit Nair, Sr. Product Director at Corelight 

Can you start by telling us about yourself and your career path so far?

My career path has been somewhat traditional. I grew up in India deeply fascinated by science and technology. I recall undertaking projects in high school like determining the optimum flight path for drones about 30 years ago. This fascination led me on a journey around the world and ultimately to the US for college. After graduating, I joined a startup where we were working on AI before it became widely popular. We used AI to predict the health of machines and systems utilised by large organisations in the US. It was an exciting project with a significant green energy focus. Eventually, I joined Juniper Networks and during my tenure there, I started in the engineering organisation developing some of the world’s most advanced and fastest routers and eventually got promoted to the head of product for their cloud vertical.

Following this, I was looking for a company that was dedicated to solving a significant problem that the world and community cared about which is why I took the opportunity to join Corelight. I’ve been at Corelight now for around four and a half years working on various products before becoming head of product.

What are some of the main challenges facing security organisations today?

After conversing with Chief Information Security Officers (CISOs) almost weekly for several years, it’s clear that the environments they intend to secure are becoming more complex. Several factors contribute to this evolution. The pandemic, for instance, forced many organisations to transition to remote work. Consequently, workloads and applications shifted from data centres and campuses to the cloud, adding layers of complexity. This ongoing change is driven by developers, engineers and users adopting new and interesting technologies which continuously expand the attack surface. As a CISO, one must remain vigilant about the evolving threat model and address these changes consistently.

Adding to this complexity is the constantly shifting geopolitical landscape. Attackers are becoming increasingly resourceful and sophisticated, ranging from low-level hackers to nation-state actors who are equipped with advanced AI tools. Thus, not only are the environments growing more complex, but the threats are also becoming more sophisticated.

Compounding these challenges is the difficulty in securing skilled personnel. Despite significant investments in tools and processes, there has been inadequate focus on training and developing cybersecurity talent. This results in a persistent struggle to find individuals with the right skill set to protect organisations effectively. The tension between increasing complexity and sophisticated threats versus a shortage of adequately skilled professionals remains a significant hurdle for CISOs.

What steps can organisations take to strengthen their cybersecurity posture? 

As CISOs attempt to gain a comprehensive view of their organisation’s current situation, they need to grasp the scale and complexity of their environment and focus on simplifying it. This involves reducing the number of tools in use to enable the team to concentrate on achieving their objectives rather than managing a multitude of tools. The focus should be on selecting fewer and more effective tools that help reach the desired outcome and by doing this, organisations can become more efficient.

Training within the organisation is also crucial as is identifying and nurturing individuals who are passionate about cybersecurity. Collaborating with other vendors often provides additional training resources for customers, which contributes to continually upskilling the workforce. This ensures they are prepared to tackle ever-evolving challenges.

In a nutshell, the CISO’s role should revolve around maintaining a high-level perspective on the threat landscape, reducing the complexity of security tools and continually enhancing the skills of their team to stay ahead of potential threats.

How does Corelight address these challenges?

Corelight is the fastest-growing Network Detection and Response (NDR) company. NDR monitors network activities and generates data and detections that help security organisations identify malicious behaviours. It ensures compliance and provides the tools and data necessary to address issues. Corelight captures network traffic through mirrors, taps or spans using engines based on open-source technology to produce the best data and detections. SOC analysts regard this data as ‘ground truth’ because it is reliable and hard for attackers to bypass. Unlike other tools, Corelight focuses on network activities where attackers must inevitably operate, thereby illuminating the blind spots in an organisation’s network.

We address challenges in three primary ways. First, we emphasise the power and quality of the data we generate. Unlike other tools that inundate analysts with irrelevant alerts, our focus on high-quality data reduces false positives and highlights significant detections. Our data is considered the de facto standard for network data worldwide. High-quality, security-centric and unopinionated data allows for effective analytics, whereas poor data quality undermines even the best analytics.

Secondly, we have invested heavily in AI and ML capabilities as integral components of our product. Recently developed GenAI technologies enhance the analysts’ capabilities, providing them with advanced tools to boost their efficiency. Our AI-driven approach ranges from highly accurate but simple detections to sophisticated ones which, while prone to some false positives, are designed to maintain a good level of accuracy and explainability. This ensures analysts are not overwhelmed by noise and can understand the relevance and reasoning behind each detection.

Finally, our approach is validated by leading Incident Response organisations such as CrowdStrike and Google Mandiant which have standardised Corelight as their NDR tool. This validation, combined with substantial recent funding from investors like CrowdStrike and Cisco, underscores Corelight’s growing market traction and the increasing value of NDR. These investments reflect the industry’s recognition of our technology’s potential and the power of the data we provide to enhance their SOC ecosystems.

What kind of growth are you seeing for your products?

Our primary focus has been on developing products specifically designed for highly mission-critical and risk-centric organisations in the cybersecurity domain. Our aim is to make this technology accessible to every SOC analyst globally. About a year ago, we launched a SaaS platform that encapsulates the power of our data and offers highly accurate and specific detections, making it easily accessible to SOC analysts. 

Addressing the skills shortage faced by organisations for level one and level two analysts, merely providing them with a deluge of data and detections, is not effective. That’s why we have developed an intuitive user interface that lowers the barrier for anyone and everyone to utilise our product. The objective is for level one and level two analysts to log into the platform, identify the critical issues requiring attention and access all necessary information to triage and investigate alerts efficiently, thereby enabling swift remediation and action.

We have built the SaaS platform around these principles to drive our core mission. In terms of traditional metrics, this product has shown phenomenal growth with record-breaking performance. There is significant traction and demand especially in the international market. Notably, our SaaS platform will now be available in the Middle East, specifically in Dubai, ensuring localised data accessibility for organisations in that region.

During a visit to Dubai, I had discussions with several customers about the product’s availability and they are eagerly anticipating its use. Ultimately, our goal is to make our solutions accessible to organisations and analysts of all skill levels. We are dedicated to constantly ensuring that our customers derive the utmost value from our offerings.

What are some of the shifting winds and how does this impact your innovation?

One noticeable trend is the shift from traditional workloads in classic data centres to the cloud. Many organisations are accelerating this transition for various reasons. Recently, with price increases on some tools within the ecosystem, this move has become even more urgent. The cloud, while similar in many respects, presents distinct challenges especially concerning threats and monitoring.

To address these challenges, we have developed a cloud-native deployment of all Corelight features and functionalities for AWS, GCP and Azure environments. This ensures access to traffic data and detection capabilities comparable to on-premise setups. However, it is not enough to simply migrate on-prem data to the cloud, it must be relevant to cloud operations. That’s why we are heavily invested in ensuring our data generation aligns with cloud security operation needs. This involves making it clear which AWS instances and services are generating specific traffic, thus adding valuable cloud context to our logs. Given the efficiency of cloud environments, our focus has shifted to creating detections that are cloud-native. For instance, detecting suspected data exfiltration from an S3 bucket is crucial as many organisations face this issue. Hence, we are deeply invested in cloud-specific threat research.

Additionally, we are exploring the use of GenAI to enhance analysts’ capabilities and responding to customer demands. Analysts face considerable complexities and require assistance. GenAI tools can help them investigate alerts and provide actionable insights. We have integrated this functionality into our product. Our advantage lies in our foundation on open-source technology which means our AI tools are already familiar with the open-source data and protections we utilise. This familiarity allows them to accurately answer customer queries. In a smart way, we implement these tools without compromising customer-sensitive data, offering the right actions and summaries for analysts to better understand and respond to threats.

Browse our latest issue

Intelligent SME.tech

View Magazine Archive