09 Oct Zeek IDS [formerly known as Bro] is One of the Most Powerful Cybersecurity Tools You’ve Never Heard Of
Zeek IDS — formerly known as Bro IDS — is around 20 years old, but awareness of the technology doesn’t match its age. Insiders say it’s the most powerful intrusion detection system (IDS) cybersecurity professionals never heard of before.
That’s beginning to change because more and more organizations are welcoming the visibility into network traffic the open source framework provides. That adoption in part is driven by the awareness stemming from the community’s annual conference. (Note: The name “Bro” stems from “Big Brother” of Orwellian roots and speaks to the breadth and depth of the data Bro is capable of capturing).
Before the 2018 conference, we reached out Michal Purzynski and invited him to our Q&A series. Mr. Purzyinski is a staff security engineer covering threat management for Mozilla – and he’s a member of the Zeek Project leadership team.
We caught up with him recently to get his perspective on broad trends in cybersecurity and where he sees the Zeek project helping to address those trends.
1) What would you say are the top challenges in security today?
MP: The top challenge today is keeping up with development and the rapid pace of everything. Today, operations and development teams often turn projects around very quickly and security struggles to keep up with the pace of development.
For example, technology organizations are building new modules and services using tools like Kubernetes the cloud in general. This means the infrastructure is extremely dynamic. Many security organizations are still set up under the old model of monitoring a server in the corner, and security professionals must adapt to the changing times.
2) Your part of a team that monitors the infrastructure, how have the threats to the infrastructure changed over time?
MP: We have much more intelligent adversaries that know what they want, which has changed the scope of the threats. For example, adversaries are doing a thorough due diligence and reconnaissance before even approaching an intended target.
It’s not that these threats are finding vulnerabilities in software or using exploits. Instead, they are targeting those organizations with lack of procedures, problems in permissions and privileges, and generally exploiting humans. So, rather than use an exploit to target software, they are going after people with access to the information they want.
3) What are some of the mistakes you see businesses make in monitoring their infrastructure?
MP: One problem is when security doesn’t have a plan for what they are going to monitor. Most network security deployments are a matter of having a ‘cool’ appliance that is capable of detecting all kinds of threats and security just plugs it into the network. However, there are no magic solutions in appliances – any time you plug an appliance into your network you have to think about you want to get out of it:
- What is the point of your appliance deployment?
- What are the problems and what are the things you want to detect?
- Will the appliance see the data you want?
It’s really a matter of changing the thinking from ‘this is my appliance’ to ‘what are the threats my organization is facing?’ What data should I log? What data should I not log to reduce the noise? This is where rules, like those you can build in Bro, can help.
This is important because the signal-to-noise ratio is very low. Many appliances generate a lot of alerts that are just noise. I once had a boss that used to say, if you have a system that generates a lot of false positives, you should replace it. If you have 100,00 alerts per day, you might as well power it off, because you can’t look at that kind of volume.
4) In your own words, what is Zeek [Bro]?
MP: There are three parts to Bro that I like to highlight:
First, Bro is like a time machine that lets you look back at what happened before or during an incident.
Second, it is an event-driven engine that is used to create arbitrary programs to analyze your network data.
Third, it’s the best threat intelligence detection machine available. With Bro, you can look for threats the intelligence has identified in ways you did not think you could – and in ways that a traditional IDS cannot. You can look at protocols, at headers and domain names in an HTTP call or in certificates, for example.
5) Why caused you to want to get involved with Zee [Bro]?
MP: I was investigating another open source project to install a network trojan detection system and in the process found Bro IDS. One of the things that was most exciting about it was the fidelity of Bro logs about our network. I could see all types of connection logs, including everything on the upper layer such as HTTP sessions, DNS logs and SSL.
I created these logs with a simple request and having this sort of information during an incident is invaluable. If something was missing, I can add arbitrary detection logic to find it. I can write detection logic for anything I might imagine.
Bro also has a super helpful community, which is important because there is a learning curve. However, the main reason is I wanted the total network visibility that Bro could provide.
6) What resources would you recommend to anyone seeking to learn more about Zeek IDS [Bro]?
MP: I would recommend the annual conference call BroCon. It provides a good overview of Bro and what’s going on within the community. That’s important because BroCon is a good networking opportunity and there are a lot of people happy to talk to you about Bro.
I’d also recommend the Bro YouTube channel and looking at the slides and PDFs from the previous conferences (2015, 2016, 2017). The Bro website is useful too as are some hashtags on Twitter such as #BroIDS and #threathunting.
* * *
Readers can also find more form Michal on Twitter: @MichalPurzynski and several of his prior conference presentation are available online including the following:
Editorial Note: Bricata is a sponsor of BroCon 2018 and the team is presenting a session titled, “Network Enrichment for Analysis and Threat Hunting.” The session is scheduled for Friday, October 12, 2018, starting at 9:00 a.m.
If you enjoyed this post, you might also like:
How Bro IDS can Help Security Capture Institutional Knowledge for Cyber Alert Enrichment and Better Network Traffic Analysis