With the holiday season here again, this time of year reminded us of a Corelight customer, an energy company, whose use of Corelight enabled immediate diagnosis of an internal security incident on the eve of a major holiday vacation and allowed security team members to go home to their families. Here’s how it happened.
On the eve of the company’s December holiday period, the Security Engineer’s boss had asked his team to undertake a critical investigation to understand if unauthorized internal sources had accessed a sensitive file on an SMB share.
The Security Engineer searched Corelight’s network logs in his SIEM for the file name and quickly located it and its unique Bro (now Zeek) file ID, which allows quick pivots to see where else that file has appeared, across all network protocols, regardless of the file name.
Corelight’s Sensor appliance’s rich SMB protocol log showed that an individual had, in fact, accessed the file in question.
The Security Engineer and his team discovered, documented, and shared this evidence with his boss in a matter of minutes and then left the office to join his family for the holiday, investigation completed.
When later asked to estimate how long it would have taken to resolve this issue without Corelight’s SMB logs, the Security Engineer shuddered: “I don’t even know that we would have been able to resolve it definitively, which is scary. We probably would’ve had to forensically image the file server” he said. “There is no way to easily digest thousands of gigabytes of (read/write) access files from a host-based side.”
READ THE FULL CASE STUDY
If you’d rather be spending time with your family than sifting through log data this holiday season, please get in touch to see how Teneo and Corelight can help.