An old security technology is gaining new momentum as enterprises struggle with ever-more-sophisticated security threats. Corelight, the San Francisco-based company commercializing the open source Bro network security monitor, reports a surge in enterprise interest, especially among global multinationals.
CEO Greg Bell describes the technology as very battle-hardened, widely deployed open source software. Bro was created more than 20 years ago by computer scientist Vern Paxson to study complex Internet traffic patterns. A flexible script-driven intrusion detection system, Bro has been considered a powerful, but challenging tool best suited for critical high-performance environments.
It calls Bro a “flight data recorder” working in the background without preconceptions about what “normal” traffic should look like. It watches all network traffic and reports detailed information into data streams designed for incident responders. It allows users to easily go back in time to understand sophisticated cyber attacks.
“Most advanced organizations don’t expect to prevent every attack,” Bell said. “They believe you have to be prepared for that and be prepared to be surprised by what’s happening in the threat landscape tomorrow. Most advanced organizations are taking real-time data streams and aggregating them into an analytics platform of some kind.”
Corelight extracts real-time data from multiple sources of network traffic. While legacy tools are widely deployed for doing that, but the data extracted isn’t very detailed and isn’t very helpful, he said.
“Our technology isn’t an in-line solution — it’s not a firewall — it sits and monitors copies of network traffic at the enterprise edge or data center edge. As companies get more comfortable with the technology, they deploy it deeper into their cores to look at network flows in front of critical business assets. It looks at the traffic and produces very detailed protocol-specific summaries of what happened,” he said.
The company’s Corelight Sensor is an appliance that performs network traffic analysis and file extraction at 10Gbps and beyond. That compares with analysis throughput of 3 to 4Gbps for the open source version.
San Institute research pointed to the learning curve for Bro, so Corelight provides a boost with commercial support as well as enterprise features. The device connects to an enterprise packet broker, such as Gigamon or Ixia, and becomes a high-fidelity source of data that comes from the network traffic that those packet brokers see, Bell said.
“But we definitely have an interest in monitoring that workflow in the cloud or development in virtual instances, so we look forward to deploying virtualized sensors for customers who need that,” he said.
“We are agnostic as to what data platform they want to use,” he said. “We don’t want to offer customers yet another pane of glass just for analysis of Bro data. The power of this idea of gathering data from all these sources and combining it is to do away with these independent, siloed tools and put the data in one place. So we’re a source of data, but not offering a new pane of glass. That’s why enterprise integrations are an important part of what we do.”
Its enterprise features include a comprehensive API, integrations for Splunk, Amazon S3 and Kafka, performance optimizations, a high-performance field-programmable gate array (FPGA) -based network interface card, optimized file extraction and log filtering.
Born in Academia
Originally called Broala, the company was spun out from the International Computer Science Institute (ICSI), a leading center for research in computer science affiliated with University of California Berkeley, in 2013. Broala’s name refers to George Orwell’s “Big Brother” as it signals the need for operators of network monitoring to remain mindful of users’ rights and privacy.
Originally created by Seth Hall, Vern Paxson, and Robin Sommer, the Bro project has attracted millions in funding for its research, including a grant of nearly $3 million from the U.S. National Science Foundation (NSF) in 2010. Some of the larger deployments have been in the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign, the 2012 Barack Obama U.S. presidential campaign, Italian eyewear company Luxottica, and the Lawrence Berkeley National Laboratory and other labs supported by the Energy Sciences Network.
The company rebranded itself as Corelight last year. Bootstrapped until recently and supported by its open source community, it just announced a $9.2 million round of investment. Bell said he can’t name its users, but added it has six customers in the Fortune 100. It’s focusing on the Fortune 2000.