Bricata in Plain English: SANS Network Security Interview with Chuck Harold

snort and suricata compatability

There’s a lot of jargon in the technology community, especially at conferences. Many moderators have kicked off sessions with a joke about buzzword bingo.

Such bingo games wouldn’t last very long and the security community is no exception. This is perhaps why Chuck Harold and his programs like Security Guy TV have earned a reputation for straight-forward and simple explanations of otherwise complicated topics.

At Bricata, we admit we are no exception. We’ve duly added a few buzzwords to the cybersecurity vocabulary. So, when Mr. Harold put our own Druce MacFarlane on the spot at the recent SANS Network Security event in Las Vegas, we thought it would be worthwhile to share the plain-talking explanation here.

Watch the Full Interview

In simple words, what does Bricata do?

Bricata has an appliance that sits on a network and it looks for potential threats moving around the network. The product uses three different “engines” that are inspecting traffic.  These engines provide different perspectives of a threat or potential threat, which is very useful to an analyst.

One engine is a traditional signature-based engine. This will run all of the typical rules from Snort or Suricata, for example. This engine will find known threats – the things the security community has seen before and that have identifiable signatures.

The second engine examines network metadata. This means the engine is analyzing who is talking to who – that is, which workstations are calling which servers for example. In this way, the engine is able to determine typical, or normal, network traffic patterns to accomplish two things, a) identify anomalies in behavior on the network and b) use that data to enrich the alerts out of the signature engine.

The third engine is licensed through a partnership with Cylance. In essence, it provides content inspection. This means the engine inspects the packets traversing the network and is able to rapidly identify malware based on certain characteristics.

All of these engines are distributed through a single threat feed that helps security analysts examine the network, triage problems, and quickly identify what is important and what is not.

What do you mean by appliance?

The appliance is both physical and virtual, depending on the enterprise needs. If users want it to work as an intrusion detection system (IDS), it would sit adjacent to a traffic access point (TAP) and use those three engines to look for threats. For enterprises that want it to work as an intrusion prevention system (IPS), the appliance can sit in-line with network traffic and block threats – without slowing network speeds.

Is this a new innovation?

The core concept of an IDS or IPS appliance is a well-established segment of the cybersecurity market, for which many enterprises have already designated as a line item on the budget.

Interestingly, that’s also one of the problems. For example, Snort has been around for nearly 20 years and was designed for older hardware. It wasn’t engineered to support the advanced hardware available today, and certainly doesn’t support the much faster network speeds we’ve come to expect.

This allowed Bricata to take a fresh approach from a software standpoint and we’ve designed it to be installed and used with commercial off-the-shelf hardware. The software will run equally well if an enterprise uses it on hardware we provide – or that which an enterprise chooses.

This means it’s plug-and-play compliant and supports high network speeds.

Why are there three different detection engines?

These engines look at the same problem differently. Enterprises today have threats moving in and out of the network, and also moving laterally across the network.

Signatures are obviously essential because they identify known threats, but recent examples like Wannacry and Petya would escape detection. This is why you need multiple methods of detection.

For example, if malware was delivered through a USB stick, it’s outside the realm of routine network monitoring. Once inside, that malware is going to try to spread to other devices. The way it does that is to scan the network and identify where else its exploit will be applicable. Bricata is able to pick up on those actions.

You need that behavioral detection engine to understand why a workstation, that has never before called a database with sensitive customer information, is suddenly placing such a call.

You also need that content inspection engine because of the way Cylance can look at content and determine, even though no one has seen this before, based on the behavior of that executable, we think this is malware.

So multiple views are necessary because even though the problem you are trying to solve is the same, the method of how you catch it is going to be different depending on the stage of the kill chain.

Can smaller enterprises use this or is only for larger enterprises?

It’s applicable to small and mid-sized enterprises, as well as large enterprises. As noted in a Bricata contribution to CSO Online – Why even smaller enterprises should consider nation-state quality cyber defenses – even the casual adversary is gaining access to nation-state capabilities. Even if you are not the intended target, everyone and anyone is susceptible to being caught in the crossfire with disastrous consequences.

The full interview lasts just about eight minutes in length and is well worth a listen if intrusion prevention and detection is in your purview. Should you be interested in learning more about how the Bricata solution can help protect your organization, please contact us to schedule a live demonstration.

If you enjoy this post, you might also like: 3 Use Cases in Network Security for Threat Hunting

Back to Blog

Bricata and Garland Technology Announce Partnership
Technology Partnership delivers total network visibility and threat hunting to accelerate detection and response
+ +