When Brian Dye decided to combine years of leadership experience in the security industry with the joys and challenges of entrepreneurship, he scanned hundreds of startups, but found few that really appealed to him.
“The vast majority of them were either an outright bad idea, a feature, not a company, or served a small market,” Dye recalls. “There were maybe 20 or 30 that were actually interesting, that I felt could become successful standalone security companies.”
One company, Corelight, towered over the rest.
Powered by scalable, open source network monitoring technology—and today also by GenAI—it offered an industry first open network detection and response (NDR) platform and was growing rapidly at scale. That was 2018—a year after the company had raised its Series A funding. Brian was amazed by the power and depth of the network telemetry that Corelight unleashed and joined forces to lead the phenomenal product team at Corelight. Since then, Corelight has established itself in complex, mission critical larger enterprise and Federal use cases that prioritize depth and scale of network telemetry. Now CEO, Brian is shining a torch on the dark underbelly of adversarial network attacks.
From the very first conversation, it was apparent that both Corelight and Cisco Investments shared a staunch belief in how core networks could provide insights to disrupt future cybersecurity attacks. In this era of hyper-distributed devices, remote users, and ephemeral applications, if there is a fulcrum that CISOs can lean on – it would be the network. We are excited to invest in Corelight’s Series E and embark on a joint mission to supercharge network visibility and predictive security – leveraging the power of open-source and Gen AI.
Deep open source roots
The Corelight architecture is rooted in a widely deployed and vibrant open source community. The company dates back to 2013, when Vern Paxson, Ph.D.—a professor of computer science at the University of California, Berkeley—worked together with Robin Sommer and Seth Hall to build a network visibility solution on top of an open source framework called Zeek (formerly Bro).
Paxson began developing Zeek in 1996 at Lawrence Berkeley National Laboratory in an effort to understand what was happening on his university and national laboratory networks. Today, Zeek is considered the gold standard for network security monitoring and network traffic analysis. It’s used by thousands of large organizations, from U.S. government agencies such as the U.S. Department of Energy to research universities like Indiana University, Ohio State, and Stanford.
Fuel for modern security
At the center of Corelight is the idea of data as fuel for modern security.
Consider the cat-and-mouse of cyber-attack and defense that has unfolded for more than two decades.
Attackers come up with new tools that evade current defenses and data stores to exploit new security holes. To keep pace with these tactics, defenders augment data and detection coverage. Everyone benefits from the resulting visibility into the security holes, and the cycle begins anew.
Corelight’s role in this flywheel of defensive technology is to provide, with the help of Zeek, the ground truth evidence (i.e., network data) that security teams need to root out malicious activity inside their organizations. This evidence—which is foundational to Corelight’s Open NDR Platform—empowers teams to increase network visibility, proactively hunt for threats, accelerate investigations, and create powerful analytics.
“The real opportunity here is that the network is a force traversal for the attacker. This ground truth—the canonical data itself—winds up being a force multiplier for a wide variety of tools and technologies across the SOC (Security Operations Center) and the SOC analysts themselves,” Dye says. “We provide ground truth across hybrid multi-cloud networks—wherever packets flow, that’s where we’re trying to be.”
It’s why a wide variety of technology partners—including recent Cisco acquisition, Splunk—choose Corelight to power their solutions.
Corelight + AI
Corelight’s open source approach benefits from the powerful security tailwinds around automation, large language models (LLMs), and GenAI. Organizations around the world are using generative AI tools like ChatGPT to accelerate their security investigations.
While many are learning how to build prompts and train models, those that combine these tools with open source security data sets like Zeek, find they get immediate value, with no vendor dependency and no lag. That’s because Zeek has been evolving publicly for over 25 years, which means the LLMs’ existing training process ingested it and can therefore act on it immediately.
Corelight’s LLM strategy is twofold.
On one hand, it provides out-of-the-box support for an abundance of practical LLM use cases that are natively available in products such as Investigator—a SaaS version of Corelight’s platform. These include using LLMs to translate alerts into English, give stock investigation guidance, and so on.
More importantly, the company is jointly supporting the development of multiple security-centric LLMs in an effort to drive compatibility across the ecosystem so that customers and partners have choice and flexibility in their still-evolving LLM strategies.
“What automation, GenAI, and LLMs all have in common is that you need great data to make them work,” says Dye. “That’s where I think the category is going over the next few years.”
Corelight + Cisco
Dye sees three main opportunities for Corelight and Cisco to work together. First is their shared focus around hybrid multi-cloud security; second is a big opportunity to extend and amplify Cisco’s portfolio distributed security architectures; and third is the opportunity to use Corelight’s data as an accelerator for all security operations within Splunk (Corelight already offers an app for Splunk).
“The data we provide can be an accelerant to both the coverage of Cisco’s protective tools, especially in a hybrid multi-cloud world, and to the ability of the SOC to respond to and prosecute those alerts,” Dye says. “No matter where the alert comes from, great data helps you accelerate that investigation.”