sb-au logo
Story image

Endace and Corelight step in to enhance incident response workflows

Endace and Corelight have entered into a strategic partnership to deliver security teams with insights and detailed forensic data to further enable rapid incident response.

Corelight sensors produce protocol-specific logs for incident response and threat-hunting workflows within any SIEM.

When integrated with EndaceProbe Analytics Platform, these logs include Pivot-to-Vision links which connect SIEM events to the related packet data recorded by the EndaceProbes on the network.

Security analysts can quickly investigate incidents from their SIEM using a single click drill-down to analyse recorded network history and investigate a threat events packet data in granular detail.

Additionally, Corelight’s Software Sensor can be hosted directly on the EndaceProbe platform in Application Dock, the EndaceProbes analytics hosting environment.

This allows joint customers to simplify deployments and extend Corelight sensor coverage by deploying sensors wherever they have an EndaceProbe deployed, the companies state.

New Corelight virtual sensors can be deployed at any time in minutes on EndaceProbe, providing greater agility in the fight to defend the network.

Endace VP of product management Cary Wright says, “Security analysts are in desperate need of faster, more accurate incident response workflows.

"They have a tough job closing out security incidents when evidence such as system logs may have been modified or wiped by an attacker. However, what attackers can’t change is the packet record of what happened on the network and the vast majority of attacks happen across the network.”

He says, “The combination of rich Zeek logs from Corelight sensors and Endace always-on packet capture provides the critical evidence needed to more quickly identify potential threats and preserve all the network evidence for fast, accurate security investigations."

Corelight senior director of product management Vijit Nair says, “The power of this integration is having one click access to all this network data right from within the SIEM.

"Security teams need fast access to rock-solid evidence so they can remediate threats before they progress to more serious stages and analysts dont have time to learn lots of different tools.

"Having both Corelight logs and Endace packet data accessible right from within the SIEM means all the data needed to identify, investigate and remediate threats is right at their fingertips.”

The Endace Fusion Program enables cybersecurity and network monitoring partners to use EndaceProbe’s API integration and Application Dock VM hosting to connect their solutions directly to Network History.

This allows network and security analysts to streamline and automate detection and investigation, choose from various security and performance solutions, and deliver shared access to a common, authoritative source of network history to all applications and teams that need it.