Corelight integrates Microsoft Defender for IoT

  • November 3, 2021
  • Steve Rogerson

California-based Corelight has integrated Microsoft Defender for IoT into its open network detection and response (NDR) platform.

Announced at this week’s Microsoft Ignite 2021 virtual conference, Corelight has become the first Microsoft NDR partner to take advantage of Defender for IoT’s cross-industry integration capabilities. Corelight users can send data from deployed sensors to Microsoft 365 Defender, and in turn Defender for IoT can apply its behavioural analytics and machine-learning techniques to discover and classify devices and to protect, detect and respond to IoT attacks.

This also enables Defender for IoT to apply its global IoT and OT threat intelligence.

“The number of unmanaged systems on the internet is soaring, and this ever-expanding risk surface is already a target,” said Greg Bell, chief strategy officer for Corelight. “Unfortunately, most defenders lack the information they need about IoT and OT systems in their environment. Our integration combines best-in-class network evidence from Corelight, with the advanced vulnerability management, threat intelligence and detection and response capabilities of Microsoft Defender for IoT. The result is more efficient incident response, and deeper insight into IoT footprint, behaviour and risk.”

Corelight’s open NDR provides full network coverage of on-premise, cloud and hybrid environments to help security operations teams using Defender for IoT detect and respond to attacks. As an open platform, Defender for IoT can use a network signal from Corelight sensors for asset discovery, inventory, risk assessment, detection and mitigation.

“Corelight is leveraging our open platform to share data to further enrich Microsoft Defender for IoT,” said Nir Giller, Microsoft Defender for IoT group manager. “Customers who have deployed Corelight can secure their entire IoT and OT environments with Microsoft 365 Defender and Defender for IoT within minutes while adding more detections based on encrypted traffic analysis and complementing Microsoft’s Mitre ATT&CK coverage.”

Additional benefits from Corelight include:

  • NDR coverage for every device on the network: Understand and manage risk across the entire IoT and OT landscape including high-value assets, managed and unmanaged endpoints, IoT devices, and cloud environments.
  • Single platform for NDR: Corelight provides everything security operations teams need for detection and response, built on open standards including Zeek for telemetry, Suricata for alerts and Smart PCap for packets.
  • Faster answers for analysts and hunters: Rich, structured network data from more than 35 protocols and over 400 data fields captured in real time provides additional context for alerts, accelerating incident response and expanding threat hunting capabilities.
  • Integration with existing SoC toolsets: Correlate rich network telemetry with threat intelligence feeds for sending to multiple destinations simultaneously, including Microsoft Sentinel, Splunk and other analytic tools.
  • Deeper insights: Insights to hunt for attackers without compute-intensive practices that compromise privacy, find command-and-control (C2) activity with more than 50 insights that cover both known C2 toolkits and Mitre ATT&CK C2 techniques, and more.

Corelight integration will be available with public preview of Microsoft Defender for IoT scheduled for November 30.

Corelight provides security teams with network evidence so they can protect critical organisations and companies. Customers include Fortune 500 companies, major government agencies and large research universities. Based in San Francisco, Corelight is an open-core security company founded by the creators of Zeek network security technology.