At RSAC Conference 2025, Sean Martin catches up with Brian Dye, CEO of Corelight, to explore a recurring truth in cybersecurity: attackers adapt, and defenders must follow suit. In this episode, Dye lays out why traditional perimeter defenses and endpoint controls alone are no longer sufficient—and why it’s time for security teams to look back toward the network for answers.

Beyond the Perimeter: Visibility as a Force Multiplier

According to Dye, many organizations are still relying on security architectures that were top-of-the-line a decade ago. But attackers have already moved on. They’re bypassing endpoint detection and response (EDR) tools, exploiting unmanaged devices, IoT, and edge vulnerabilities. What’s left exposed is the network itself—and that’s where Corelight positions itself: providing what Dye calls “ground truth” through network-based visibility.

Rather than rearchitecting environments or pushing intrusive solutions, Corelight integrates passively through out-of-line methods like packet brokers or traffic mirroring. The goal? Rich, contextual, retrospective visibility—without disrupting the network. This capability has proven essential for responding to advanced threats, including lateral movement and ransomware campaigns where knowing exactly what happened and when can mean the difference between paying a ransom or proving there’s no real damage.

Three Layers of Network Insight

Dye outlines a layered approach to detection:

1. Baseline Network Activity – High-fidelity summaries of what’s happening.

2. Raw Detections – Behavioral rules, signatures, and machine learning.

3. Anomaly Detection – Identifying “new and unusual” activity with clustering math that filters out noise and highlights what truly matters.

This model supports teams who need to correlate signals across endpoints, identities, and cloud environments—especially as AI-driven operations expand the attack surface with non-human behavior patterns.

The Metrics That Matter

Dye points to three critical success metrics for teams:

• Visibility coverage over time.

• MITRE ATT&CK coverage, especially around lateral movement.

• The percentage of unresolved cases—those embarrassing unknowns that drain time and confidence.

As Dye shares, organizations that prioritize network-level visibility not only reduce uncertainty, but also strengthen every other layer of their detection and response strategy.

Learn more about Corelight: https://itspm.ag/coreligh-954270

Note: This story contains promotional content. Learn more.

Guest: 

Brian Dye, Chief Executive Officer, Corelight | https://www.linkedin.com/in/brdye/

Resources

Learn more and catch more stories from Corelight: https://www.itspmagazine.com/directory/corelight

Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25

______________________

Keywords:

sean martin, brian dye, network, visibility, ransomware, detection, cybersecurity, soc, anomalies, baselining, brand story, brand marketing, marketing podcast, brand story podcast

______________________

Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage

Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf

Want Sean and Marco to be part of your event or conferenc