Incident & Breach Response , Network Detection & Response , Security Operations
Corelight Pursues IR Partnerships, Smaller Enterprise Deals
CEO Brian Dye Touts CrowdStrike Partnership, Midsized Enterprises as Key to GrowthCorelight has cemented partnerships with incident response firms and extended its capabilities from large enterprises to midsized enterprises to further the reach of its technology.
See Also: OnDemand Webinar | Utilizing SIEM and MDR for Maximum Protection
The San Francisco-based network detection and response firm inked its first IR partnership last month, allowing Corelight's technology to be used by CrowdStrike's incident response team during network-based investigations and included in the company's managed services bundle, said CEO Brian Dye. Feeding Corelight's network data into EDR and XDR tools will allow more correlation to be done, he said (see: Harnessing the Power of Open Source to Protect Networks).
"What we're doing with CrowdStrike is indicative of work we can do with incident response partners overall, because most IR firms have the same challenge that CrowdStrike does," Dye told Information Security Media Group. "They are balancing depth of insight you can get off the endpoint and breadth of insight you can get off the network. That's a really interesting channel for us to continue to develop."
What Incident Responders Need From an NDR Tool
Thanks to the new partnership, Dye said, Corelight's managed network defense offering will be included as part of CrowdStrike's managed threat defense platform. Many organizations that use CrowdStrike for incident response subsequently adopt the company's managed defense offering to stop future attacks, and Dye said this buying motion will lead to Corelight getting put on the radar of many new prospects.
Corelight has signed additional incident response partners beyond CrowdStrike and expects to announce the new relationships in the coming months, Dye said. Deploying Corelight will help incident responders streamline their investigations into large-scale breach environments, which might require up to 10 or 12 consultants to gather strong enough evidence to answer tough questions from lawyers and regulators.
"Incident responders need the absolute best evidence to support their investigation," Dye said, "because they're not just finding threats and scoping out attacks, but they're actually prioritizing their investigation work. What the network helps you do is to get a broad-based view."
The large enterprises that Corelight has historically served normally look to deploy a new piece of technology over several weeks or months, Dye said. But an on-site incident response consultant must be able to instantly deploy Corelight's network detection and response and get immediate time to value given the immense pressure they face to diagnose what went wrong as quickly as possible, he said.
Life Beyond the Large Enterprise
Corelight traditionally served organizations in the Global 2000 and competed directly against ExtraHop and Vectra in the network detection and response market. The company plans to capitalize on its SaaS-based Investigator platform to expand into serving midsized enterprises in the Global 5000, which he said will put the company in direct competition with Darktrace.
"What we're doing with CrowdStrike is indicative of work we can do with incident response partners overall."
– Brian Dye, CEO, Corelight
Large enterprises typically have a robust internal security team and want to ingest the information generated by a company such as Corelight into their own data lakes and analytics engines, Dye said. But the size and scope of the security team at a midsized enterprise is considerably smaller, meaning Corelight needs to be packaged out of the box in a way that's easy for smaller enterprises to use, he said.
"They need the tool to do the work for them," Dye said, "as opposed to, 'Oh, I have a team of 10 people doing in-house detection engineering.' That's not something you see in the midsized enterprise."
For large enterprises, Corelight wants to improve and extend the quality of its data so businesses can spend less time grooming and fixing the data and more time doing actual analysis, he said. Corelight's new entity collection tool baselines an organization's entire environment every 15 minutes to indicate what network entities and IT addresses are present, which he said makes downstreaming radically faster.
Queries that used to take 15 to 20 minutes in a traditional setup now take just 3 to 5 seconds since SIEMs and automation workbooks can analyze the data in the manner it was presented rather than having to make fixes, Dye said. Corelight has focused on generating new insights and making the data friendly for analysis by both humans and machines, he said.
The high end of the Fortune 500 historically used proprietary internal tools for network analytics, but Dye said Corelight can reduce SIEM costs for large enterprises by enough to cover the cost of purchase. In these settings, he said, Corelight is part of a tech modernization project that displaces everything from NetWitness and Blue Coat Solera to McAfee and Cisco IDS.
"There are lots of ways you can analyze data," Dye said. "If you don't have the data, you're stuck. And because of that, we make sure that our customers can actually get access to that, whether it's raw evidence or derived primitives or another form of analytics."