In this On Location Brand Story episode, Corelight CEO Brian Dye explains why network visibility is becoming the most critical—and often overlooked—layer in modern cybersecurity defense. He breaks down how organizations can detect what endpoint tools miss, measure success more effectively, and avoid costly blind spots during attacks like ransomware.
At RSAC Conference 2025, Sean Martin catches up with Brian Dye, CEO of Corelight, to explore a recurring truth in cybersecurity: attackers adapt, and defenders must follow suit. In this episode, Dye lays out why traditional perimeter defenses and endpoint controls alone are no longer sufficient—and why it’s time for security teams to look back toward the network for answers.
Beyond the Perimeter: Visibility as a Force Multiplier
According to Dye, many organizations are still relying on security architectures that were top-of-the-line a decade ago. But attackers have already moved on. They’re bypassing endpoint detection and response (EDR) tools, exploiting unmanaged devices, IoT, and edge vulnerabilities. What’s left exposed is the network itself—and that’s where Corelight positions itself: providing what Dye calls “ground truth” through network-based visibility.
Rather than rearchitecting environments or pushing intrusive solutions, Corelight integrates passively through out-of-line methods like packet brokers or traffic mirroring. The goal? Rich, contextual, retrospective visibility—without disrupting the network. This capability has proven essential for responding to advanced threats, including lateral movement and ransomware campaigns where knowing exactly what happened and when can mean the difference between paying a ransom or proving there’s no real damage.
Three Layers of Network Insight
Dye outlines a layered approach to detection:
1. Baseline Network Activity – High-fidelity summaries of what’s happening.
2. Raw Detections – Behavioral rules, signatures, and machine learning.
3. Anomaly Detection – Identifying “new and unusual” activity with clustering math that filters out noise and highlights what truly matters.
This model supports teams who need to correlate signals across endpoints, identities, and cloud environments—especially as AI-driven operations expand the attack surface with non-human behavior patterns.
The Metrics That Matter
Dye points to three critical success metrics for teams:
• Visibility coverage over time.
• MITRE ATT&CK coverage, especially around lateral movement.
• The percentage of unresolved cases—those embarrassing unknowns that drain time and confidence.
As Dye shares, organizations that prioritize network-level visibility not only reduce uncertainty, but also strengthen every other layer of their detection and response strategy.
Learn more about Corelight: https://itspm.ag/coreligh-954270
Note: This story contains promotional content. Learn more.
Guest:
Brian Dye, Chief Executive Officer, Corelight | https://www.linkedin.com/in/brdye/
Resources
Learn more and catch more stories from Corelight: https://www.itspmagazine.com/directory/corelight
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
sean martin, brian dye, network, visibility, ransomware, detection, cybersecurity, soc, anomalies, baselining, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
What Endpoint Security Isn’t Catching: Why Network Visibility Still Matters | A Brand Story with Brian Dye from Corelight | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Here we are. We are at RSAC conference. Sean. We're living the dream. We are living the dream this week. Right. It's, I don't know, 40 plus thousand of our closest friends. Mm-hmm. Cruising the streets and roaming the halls and hopefully having some good conversations. Absolutely. So far.
At least. So far. Yes. So, uh, Brian Dye, it's a pleasure to have you on. Um, excited to hear about what you're up to with Core Light. Uh, before we get into. The solution and the, the challenges that you're helping organizations overcome. Maybe a few words about some of the things you've done that led you to Core Light and what your current role at Core Light is.
Brian Dye: No, uh uh, thanks for the opportunity. Really appreciate the time. You know, the, the quick background on me, uh, I've been in the cyberspace for about 15 years now, uh, and kind of, uh, typically at some of the larger vendors. I was at Symantec for many years at McAfee for a couple years, uh, helping get them spun out of Intel.
And then, you know, when I decided to go into the smaller side of the world. I looked at just a range of security startups near my house, uh, and was really enthralled by the open source nature of the company, the [00:01:00] culture of the company, the mission fit, the type of customers that we had a chance to serve, and that's what really drew me in.
So I've been at, uh, core Light for about seven years. I led products for the first couple and then been CEO for roughly the last four and a half. So,
Sean Martin: nice, man. So let's, let's talk about, so you touched on the open source, so I want to get to that, but, um, maybe a, a brief. Overview of Core Light and it's, and then it's connection to the open source, because I think it's a big, big part of what's going on.
Right?
Brian Dye: Yeah. I think that the really simple version on Core Light is we give you ground truth of what's happening on the network to find the attacks that are bypassing your EDR bypassing your traditional perimeter defenses, like firewalls. And there's no better example for this out in the market today than vol and Salt typhoon.
So if you think about all the guidance from cisa, it's starting with, yes, you need to patch your systems. Yes, you need to train your team. But then it makes a really big point of saying you really need to do network base lining and anomaly detection. And if you think about the network detection response category and what Core Light does specifically, that's what we do, right?
We give you that, that ground truth visibility [00:02:00] so you can understand the things that have bypassed all your other defenses, right?
Sean Martin: So there's, there's been a lot of focus on the EDR and XDR space and I, I feel that maybe not so much attention on the network these days, which seems really strange to me. Um.
It depends on, I grew up doing all the IPS stuff, network, IPS and whatever. And so how, how has that shifted in terms of teams and technology and infrastructure? Clearly cloud has come into play, um mm-hmm. But so how does, how does network monitoring and protection, how's that changed and, and how has Core Light kind of either led some of that and, and helped to be ahead of it?
Brian Dye: Yeah. You, what you're seeing is exactly right. There's a natural pendulum in cyber that's been swinging for 25 years. Evolution on the endpoint, evolution on the network, back to evolution, on the endpoint and so forth. So the focus on EDR over the last five or 10 years has been wonderful, positive, incredibly effective for customers, and is an awesome thing, right?
So if there's anyone watching this who does not have [00:03:00] a modern EDR deployed, please stop watching this and go do that. Like, we'll, we'll talk afterwards, right? But then what happens is the attackers look at what is the weak spot that is left over from that architectural evolution. And so if you look at what's happening now, you know there is an eight x increase.
Year over year, last year in the actual exploits and perimeter devices being the entry point into networks. 'cause folks are avoiding EDR controls, right? Once folks to steal credentials, about half of the credential theft is on either personally owned or non EDR devices. So the attackers are doing exactly what you would expect them to do.
They are avoiding the perimeter controls. And so our angle on that's pretty simple. We've had the benefit as part of this open source heritage that we come from. From serving some of the most elite defensive teams in the world, right? The webscale, tech giants, intel agencies, things like that. And so the threat model they've been wrestling with for the past five or 10 years is the one that we've developed to serve.
And so, gee, as this, as this network defense becomes so important on the inside the perimeter of your environment, things like [00:04:00] NetFlow and PCAP just aren't enough anymore, right? You need deep enrich metadata, you need behavioral baselining, you need machine learning. You need all the advanced analytics.
That those technologies just couldn't provide. Right. So it really is that pendulum swinging back to kind of innovation in a way that you're helping counter the specific kind of EDR and firewall evasion techniques that are being used today.
Sean Martin: So talk to me about how the teams have changed too, and, and maybe their, their processes and, and maybe even how the leadership team looks at risk with respect to network visibility and, and monitoring and response and all that stuff.
Brian Dye: Oh, it's a great question because. The team structures we don't see changing. Okay. Right. So you have it. Those roles are very endpoint. Well, it InfoSec and if, if you look within the soc, especially in some of the larger security teams, you've got, you know, a security engineering versus an operations teams.
If you're really lucky, you've got some malware. Malware, reverse analysis or detection, engineering. All the org structures are, are very consistent. What's happening is two things. Okay? Number one, that visibility metric folks are realizing that that that itself is a vulnerability. [00:05:00] Right. If you've been relying on Pcap as your way to solve this problem, and you have Pcap for seven days and you're investigating a threat from eight days ago, you're blind.
You have no visibility, you have no recourse, and you can't analyze your way out of, I don't have the data. Right? So that becomes a force multiplier for everything. So that's one really big thing that leads to a lot of technology modernization, right? Yeah. Folks that might have been relying on NetFlow or Pcap or a standalone IDS that were a great idea 10 years ago, not the modern way today.
That's really big. And the second piece. Because, you know, we can only let it go a certain number of minutes. Before we talked about AI of, that's the thing for RA this year, uh, is that they're realizing if they wanna accelerate their soc mm-hmm. The context that the network provides is actually incredibly important to connect the dots across everything else.
Okay. Because the end point gives you depth the identity, the human identity gives you, uh, human context. The network gives you attack, breadth, context. So the, the fact that the network lets you connect the dots across everything means that all of a sudden these AI initiatives also ironically make your network [00:06:00] visibility more important because we're that connective tissue that helps connect the dots.
Sean Martin: So when we talk about visibility, what are, what are some of the signals you talked about key pack cap and net flow gives you some signals. They're not enough. So what, what else do organizations and teams need to look for in terms of signs that something might be going awry? Yeah,
Brian Dye: there, there's really three layers, right?
And, and all of them are important. The, the, the baseline layer is just what's happening on the network. Give me the cliff notes. So, uh, one of the things that the open source project that were based on, you know, now Zeke, formerly bro, was originally about, was to say, Hey look, give me the cliff notes, give me the 1% signal so I don't have to keep a hundred percent of the network traffic.
So that just gives you ground truth. And then we've invested quite a bit on top of that to create other indicators of behavior. So, for example, analyzing encrypted traffic. If you see keystrokes happening over SSH and that's not a network admin during a change window, you're at least looking at a policy violation and you could be looking at someone typing, you know, [00:07:00] uh, keyboard commands over a command and control link.
So that baseline foundational data is super important. Flipping to the other end of the pyramid, yes, raw de raw detections matter. So whether it's rule behavioral rules or signatures or machine learning, there's a whole bunch of just fine badness. That, of course, is important. But the real thing that this category is adding, that correl light's creating is network baselining and anomaly detection.
Because there's a whole bunch of, this is weird, it's, it's new and unusual, right? That's a problem. You don't necessarily start your instant response process with that, but you are gonna use it for threat hunting and you are gonna use it for that context to be able to connect the dots across the rest of an attack.
So really providing all three of those layers is foundationally kind of what we're giving security teams, uh, as ammunition. Okay.
Sean Martin: So that, that, that anomaly new might be legitimate, new and weird, maybe less legitimate. But I'm wondering what's changed in that layer that teams might not be thinking about?
[00:08:00] 'cause I'm, first thing I'm thinking is agent ai, right? Yep. Non-human based actions. There were machines that are taking action on our behalf, and maybe those things are compromised, or microservices are compromised, so, mm-hmm. What are you seeing in. In that anomaly layer where humans and non-humans might look different now?
Brian Dye: Yeah. It's, it really the, the advance here is actually in the map. Okay. Because if you look at how anomaly detection was done, I mean, even a few years ago, it folks had a really hard time getting baselining that would separate the new versus the unusual. So all you do is generate new, you're creating a ton of noise that doesn't help anybody.
Right. Right. That's a, that's a diff That should be a diff command. Like that's not actually helpful. The, the clustering analysis to be able to find new and unusual is actually really what's impacting here. Because if you look at what, what were folks complaining about network analytics on 10 years ago, it was the fire hose of alerts that was too much for people to process you.
You tap in what now? What exactly right? Like, oh, thanks. I'm drowning in alerts and you gave me 10,000 more alerts. Like that is not helpful. So really being able to provide folks [00:09:00] constructive conflict, uh, or sorry, constructive context is actually what's been really different and it's really been evolutions in the math and the application of the math.
And for us, one of the things that we, we've really thought a lot about is we co-develop a bunch of our, of our detection models in a pretty wide range of customer environments because networks are not endpoints. Right. Right. Endpoint look highly similar and you've got tools like virus Total that give you great kind of, uh, you know, corpus and malware to go test against everybody's network looks different.
Yeah. So you really have to be developing your material, developing your technology in a wide variety of super diverse networks. Works so that you can actually understand and you're not tailored for any one type because the moment you do that, you're gonna fail. In another one, you're gonna cause a bunch of a bunch of noise, right?
That just doesn't help anybody.
Sean Martin: So I, I presume you help teams kind of figure out the definition of good mm-hmm. The definition of anomalies and then hopefully def helping them to def actually build a network that is secure that, that they can [00:10:00] more, less exposed perhaps. So maybe, maybe change the way the network functions, but then also how, I guess what I'm really leaning toward is, so you help the teams actually get stuff running, but then how do they measure success and how do they communicate to their, their management team that we're actually doing what we need to do with respect to the network?
Brian Dye: Yeah. The, the, the, the three most interesting metrics I've seen customers use, number one you already covered, which is that visibility me. Because for folks that aren't tracking that, they realize they have to, and they need to pull, put both coverage and time because that tells you what your actual visibility is.
And that becomes just a, a force multiplier for all of your other metrics, right? If you think you have a mean time to detection metric, but you have 80% visibility, you're kidding yourself. You don't know 20% of that metric, right? So that's, that's number one. Uh, the second piece we've seen folks going after is their Mitre coverage, and in particular lateral movement because.
Lateral movement's, one of those classic areas of the kill chain to look at where you're before damage, but you have a lot of [00:11:00] chances to find the attacker. By definition, they are moving more often, right? They're beaconing, they're moving, they're, they're living off the land. You get more bites at the apple to go find 'em.
So lateral movement coverage in particular has been really big. And then the most interesting one I've really enjoyed hearing customers talk about is looking at the percentage of cases they can't close. Okay? 'cause that tells you your ultimate success metric, right? If you've got. 5% of cases you can't close.
Gimme an example. Like, okay, you get this alert, you're investigating it, you don't know what it is, and you eventually just run outta data and you have to give up as an analyst. Okay. This is like the embarrassment metric, right? And they, the, the, the savvy orgs are starting to track that because it tells them what their uncertainty is.
Sean Martin: Okay. Right.
Brian Dye: I met with a customer years ago that had a really interesting waterfall for me. He said, look, we blocked 30 billion attacks at the perimeter, and then we have 30,000 incidents that someone has to chase down. And I have 3000 security events where I have to go do something. He said, that's not what I'm worried about.
What I'm worried about is whether that 3000 number should be 3,500.
Sean Martin: Hmm.
Brian Dye: So [00:12:00] that's what people are trying to get their arms around. Right. What am I missing at the end of the day? Not
Sean Martin: seeing, right? Yeah, I'm not seeing that. So as we wrap here, maybe give, gimme some examples. That was a good example of, of a particular incident.
But, um, can you share, you don't have to name the customer, but some, some use cases where. If they didn't have visibility, now they do. They found some things that, indicators of compromise or whatever. Yep. And, and then how do they refine and improve their program after working with you to, to cover, so yeah, to bring it together.
Yeah. I,
Brian Dye: my, my favorite one because it, it's just so, it's so easy to understand afterwards, but very few people think of it up front is, uh, a ransomware attack. So we had a customer that was under a ransomware attack, uh, I'll just say some relatively recently. And the attacker got in, standard playbook, said, Hey, we've stolen all this stuff.
If you don't give it to us, there's a $10 million ransom. You know, here's what we're gonna publish. Here's how it's gonna affect your brand, how it's gonna affect your [00:13:00] stock price. And that customer, because we had been working with them for about a year and a half prior, they had really built up a baseline understanding of their network.
And the first thing they realized was there was no honor among the. Right. The attacker claim goes stolen, all this stuff. And they had actually taken about 10% of it. And the 10% they took actually wasn't that brand damaging. And so they wound up actually turning down the ransom. And so the difference between, I think, and I know you can actually put a price tag on it, it's $10 million.
And if you can imagine, it's not just the, the defensive team and the IR team that were getting their arms around this. You have to convince the CISO and the management structure, even the, the exec suite and actually the board audit committee. So again. I think versus, I know, is a tremendously powerful position to be in from a defender standpoint.
And I think there's no better case this, for this than being able to look at, at truly the all in exposure from a ransomware attack when you find all these kind of attacker dynamics through in the middle of it.
Sean Martin: So that, that information, the, the context surrounding it is lack of a [00:14:00] better word, automatic Yes.
Through core light. Yes.
Brian Dye: Because we give you the way to look back in time. Okay. To understand what happened. And again, let's go back to the vault and salt typhoon discussion. We started with. The reason that these folks are getting in is they are using edge exploits or unmanaged devices or IOT devices, a whole set of non defendable points to get in.
Once they're in, you don't know, they're in, by definition, they're using these living off the land techniques. So by the, the real value that we're providing is the ability to not just find the indicators, uh, the anomalies, uh, live when it's happening. But be able to look back in time, three months, six months, nine months in the past and say, who got in?
What did they do? Are they still there? Has damage actually been done? And are you sure? Right. Can you prove it? Yeah. Right. That's, uh, that's tremendous. So one of a, a person a, a, a former core lighter, unfortunately now passed away, had a great time sentence on this, you know, stolen from, from Asian folklore.
He said, the best time to plant a tree is 20 years ago. Right. The second best time is right now. Because you want that backtrack of [00:15:00] evidence to be able to look and find and have that ground to.
Sean Martin: Yeah, so let's close with that because if you don't have the visibility, you don't really know that there might be a, and you can't recreate it, there might be a problem.
Yeah. So when you're working with new customers, um, or perhaps having conversations as a prospect to bring them on as a customer, what, what's the trigger for them to say? 'cause they don't have a sign, right. Yet. Mm-hmm. So how do, how do you give them a sign or how do they engage with you to rec, recognize the value that we just talked about and, and decide to bring you on?
How, what, what's that conversation sound like? Yeah.
Brian Dye: The conversation usually has a couple of different starting points. One is they've looked at their current technology stack and they've realized they are using the tech stack that was best in class 10 years ago because they've been focused on endpoint, because they've been focused on identity, they haven't been looking at the network, and they realize this is just untapped, right?
So. They're seeing at P cap, IDS and and net flow and they say I can do better. That, that's a big one. Technology consolidation. Uh, second one that's [00:16:00] related to that is they're looking at the cost efficacy of that stack and saying, gee, right, maybe I don't need to keep 30 days of P cap right. When 80% of it's encrypted, maybe that's not a good use of my security budget.
Right? That tends to be a big one. And then the third one tends to be when they're looking at their Mitre coverage and they're looking at C two lateral movement in particular and saying, Hey. Where am I exposed here? And that could be through a proactive assessment, that could be through red teaming, or frankly, they could have just read any one of the last 10 cis advisories that are all telling them the same thing.
Right? This is the big uncovered area for most organizations. Isn't that true for you? So it tends to be one of those three that kind of starts the, it makes it a priority for them. And then that starts our conversation.
Sean Martin: Got it. And I always have one more question. Marco's not here to stop me there, so I'm gonna ask one more question because I think for me, if I was.
Responsible for the network that runs the business, I wouldn't want to change it too much. Yes. So how, how do you help teams recognize, well, you really do in these [00:17:00] instances, or you don't have to, but here's how you kind of alternatively mitigate some of this risk.
Brian Dye: Yeah, that's the, one of the great things about us is that we are a, an out of line device, right?
We are gonna take a tap, a span, a packet broker in the clouds, A-A-V-P-C traffic mirror and, and kind of their equivalent. So we are non-disruptive to the network. So we don't force a network re-architecture. We don't have to roll out a big micro-segmentation project. You don't have to, you know, change your trunking strategy or anything like that.
The network operations team would go crazy. The change hurdles alone, make that a two year project exactly like, like you already know. And so the ability to show up and say, Hey, here's a way to materially upgrade your defensive capabilities, address the vol, typhoon salt, typhoon, living off the land lateral movement type attacks, and not disrupt your network operations.
And oh, by the way, what do we see? Folks bring us in for, to the SOC for instant response and threat hunting a hundred percent of the time. Yeah. In the first six to nine months, if you're giving folks ground truth of what happens on the network, you're giving people fantastic [00:18:00] data. Mm-hmm. What's the use case for fantastic data?
Better decision. All of it. Yeah. Oh yeah. So we start getting used for network ops compliance, insider threat, fraud, API security, kind of, you name it. So that initial tension with the network ops team actually turns into synergy. Yeah, afterwards. 'cause they're like, oh wait, we've had this problem we haven't been able to diagnose for the last three years.
And, but because we get this great fidelity, now we can sort it out. Right. That tends to be the bonus on the conversation. That's fantastic.
Sean Martin: Well, Brian, great chatting with you.
Brian Dye: Really enjoyed it. Yeah. Thanks for making time for it. Fun,
Sean Martin: fun conversation and uh, excited to see how you guys continue to grow and it's all about the network.
Again, let's circle, circle. What's old is new. Let's circle the wagons. Network visibility. You need to know what's going on, not just for security, but for the rest, the health of the business. It really is Brian. Thanks a million man.
Brian Dye: Thanks for the time, Sean. Enjoyed it.