Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

SOC teams across businesses, industries, and geographies share the same goal: Stop cyberattacks before damage is done. But for those with legacy SIEMs, this is nearly impossible to achieve. Legacy SIEMs demand an overwhelming investment of time, resources, and expertise to set up and maintain.

Financial institutions, such as banks and trading houses, have a strong interest in recording key transaction activity within their networks. In the face of daunting data storage requirements, many are finding that Corelight’s network metadata—notably metadata produced by Zeek—is the key to a simplified tracking and storage process. Many of our customers used to rely on packet capture (PCAP).

The financial industry is known for its rigorous and sometimes quirky data retention requirements that can challenge even the most seasoned security expert. For example, FINRA Rule 4511 requires members to "preserve for a period of at least six years those FINRA books and records for which there is no specified period under the FINRA rules or applicable Exchange Act rules." Keeping six years of records: That's no small feat. But it's certainly doable.

In November 2024, I participated in SCinet with the Network Security team at SC24. My job was supporting Corelight sensors and threat hunting using the data the sensors produced. This engagement allowed for a very constructive comparison between the networking challenges at SC and Black Hat USA, where I had the honor of working in the Network Operations Center (NOC) a few months earlier. At SC, I felt immersed in the cutting-edge world of research computing with people showcasing the fastest everything.

Zeek is a powerful open-source network analysis tool that allows users to monitor traffic and detect malicious activities. Users can write packages to detect cybersecurity events, like this GitHub repo that detects C2 from AgentTesla (a well-known malware family). Automating summarization and documentation using AI is often helpful when analyzing Zeek packages.

Cobalt Strike is a penetration testing tool designed for adversary simulation and red team operations. Legitimately, it's used by security professionals to test network defenses, simulate attacks, and train incident response teams on how to detect and respond to real threats. Cobalt Strike was one of the first public red team command and control frameworks.