Corelight is pushing forward with a strategy to advance its network security platform, based on the open-source Bro security project.
On Sept. 11, Corelight announced that it raised $25 million in a Series B round of funding, led by General Catalyst. Total funding to date for Corelight stands at $34.2 million. The new funding follows Corelight’s announcements on Sept. 6 of a new virtual sensor platform and enhanced packages for the Bro platform.
“We’re commercializing open-source software that has its origin in the 1990s,” Greg Bell, CEO of Corelight, told eWEEK. “Bro started around the same time as other great open-source security projects like Snort and Nesuss, which both led to great companies, with Sourcefire and Tenable, and we see Corelight very much in the tradition of those companies.”
Snort is an intrusion prevention system that was commercialized by Sourcefire, which in turn was acquired by Cisco Systems in 2013 for $2.7 billion. Nessus is a vulnerability scanner that was commercialized by Tenable, which just had its initial public offering on July 26 on the Nasdaq stock exchange. The open-source Bro project fills a different role than either Snort or Nessus. Bro is a network security monitoring technology that provides an analysis framework.
Corelight provides additional enterprise integrations and features on top of the open-source Bro project, according to Bell. He noted that the company got started in 2013 initially as a services organization and then expanded into providing hardware appliances integrated and optimized for Bro.
“We’re now extending the product line into the virtual realm,” Bell said. “Our vision really is to allow enterprises achieve great network visibility wherever and however they need it.”
Software
In recent years, it has been more common for startups to start with a software or virtual edition of a commercial cyber-security product rather than start with hardware, which is what happened at Corelight. Bell explained that Corelight got started with hardware, as the core founding team, which is also the team that created Bro, knew they could create a high-performance implementation of Bro on hardware that companies would pay for.
“It’s funny, internally we very much think of ourselves as a software company,” Bell said. “The core open-source team, of course, has been writing software together for a long time and internally we’ve always developed on a virtual platform.”
Bell added that in a sense, the hardware sensor that Corelight first went to market with is a hardware port of the company’s original product, which is a virtual sensor. He noted that the new virtual sensor that became available on Sept. 6 is the first time Corelight has had a commercially supported virtual sensor for customers to use. The Corelight virtual sensor currently runs on VMware virtualization technology, though Bell noted that efforts are underway to enable it to also run on container and Kubernetes-based platforms.
The virtual platform doesn’t benefit from the accelerated performance that the hardware version of Corelight’s sensor provides. Bell said the Corelight hardware sensor platform uses commodity parts alongside a specialized FPGA (Field Programmable Gate Array) network interface card (NIC).
“We offload as many CPU-intensive cases to the NIC as we can,” Bell said. “Bro is very CPU-intensive, because what it’s doing under the hood is parsing thousands or even millions of simultaneous TCP and UDP connections.”
How Bro Works
Bro is a different type of network security tool than a classic intrusion detection system (IDS) that relies on signatures to detect anomalies.
“Bro is doing something different; it’s providing real-time telemetry, sometimes called metadata, with very detailed actionable data about what’s happening on the wire,” Bell explained. “So when something bad happens, you can quickly piece together the narrative of what happened, what led to the incident or breach and what happened afterwards.”
Bro isn’t the only open-source project that can be used to understand network data. Another popular project is the open-source Wireshark packet capture data (PCAP) data effort.
“The rising popularity of Bro is because it is in the sweet spot between PCAP on one hand and netflow on the other, which is quite minimalist,” Bell said. “We find that most organizations can resolve most of their security incidents just using Bro data.”
Looking beyond just using Bro for network data analysis, Bell said Bro is also an application platform that the community uses to build scripts and other applications that do interesting work with the network data.
“We have only just begun to exploit the power of those scripts in our product, and really almost anything you can imagine wanting to do with network traffic can be done with Bro,” he said.
The Core Collection for Bro, which was announced alongside the virtual sensor release, provides a series of different scripts to enable operational insights from Bro. Among the scripts in the collection is a crypto-currency mining detector, as well as an automatic hostname detector for network traffic.
“You’ll see us working to make the data from Bro even better, more useful and more targeted so that security operations centers can do their jobs faster and more effectively,” Bell said. “We aim to be the definitive data source for network derived data.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.