RSAC Fireside Discussion: An Insightful Journey of NDR—from origins in open-source to clear understanding of kill chain
By Byron V. Acohido
As corporations prepare for a fresh surge of covert infiltrations — known as Typhoon assaults — security decision-makers are intensifying their focus on network intelligence that transcends mere surface-level warnings.
By Byron V. Acohido
As corporations prepare for a fresh surge of covert infiltrations — known as Typhoon assaults — security decision-makers are intensifying their focus on network intelligence that transcends mere surface-level warnings.
Related: What constitutes NDR?
During this Fireside Discussion at RSAC 2025, I engaged in a conversation with Brian Dye, the CEO of Corelight, to unwrap how Network Detection and Response (NDR) is empowering defenders to navigate through the clutter and reach the “ground truth.”
Dye compares these assaults to a turbulent weather system: intrusions at the level of nation-states that evade traditional boundary defenses and dig deep using methods like “living off the land.” Once inside, attackers assimilate by exploiting trusted IT utilities, often operating incognito for prolonged periods. “NDR acts as the bridging element,” Dye explains. “It aids SOC teams in visualizing the complete kill chain — right from the initial breach to lateral progression and probable data exfiltration.”
Additionally, we delve into how Corelight—stemming from the open-source Zeek project—has gradually transformed from a utility utilized solely by top-tier defenders to a system now accessible to mid-sized businesses facing heightened threats at the hand of nation-states.
Dye recollects how, in the past, only the most well-resourced security squads could effectively implement Zeek; the contribution of Corelight has been to consolidate that capability for wider adoption, empowering SOCs with smaller teams to acquire the same precise internal insights previously restricted to prominent banks and governmental bodies.
Simultaneously, generative AI is starting to make a concrete impact in daily SOC operations. Dye points out that GenAI is not replacing human analysts—but is expediting their tasks. Smaller teams are already relying on vendor-incorporated LLMs to decipher alerts and propose investigative next steps. Larger entities are taking this a step further, training customized LLMs to enhance and compare telemetry in real-time. Leveraging its roots in open-source, Corelight seamlessly operates in both scenarios—rendering structured, dependable network data as the “fuel” for these AI-supported investigations.
The key takeaway? Clarity equals authority. In a landscape where threat actors increasingly pose as insiders, understanding the reality of situations — and substantiating it — could prevent substantial losses. “There exists a significant disparity between mere speculation and factual knowledge,” Dye observes.
• Tune in to the entire podcast to grasp why ground truth might be the most crucial asset in the upcoming phase of cybersecurity.
April 24th, 2025
*** This post was originally published on The Last Watchdog a Security Bloggers Network platform by bacohido. View the primary article at: https://www.lastwatchdog.com/rsac-fireside-chat-the-ndr-evolution-story-from-open-source-start-to-kill-chain-clarity/
About Author
