If you apply Pereto’s Principal (the 80/20 rule) to network security, about 80% of incidents are caused by known threats that are easily identified by signature-based rules system and 20% come from previously unknown threats, which are often the most damaging and costly.
There has been much talk over the past decade about Suricata and Zeek (formerly Bro) and how both can improve network security. So, which one should you deploy? The answer is both. Suricata and Zeek perform two different types of network protection and both are needed if you want to find known and unknown threats.
Suricata is the gold standard of signature-based threat detection engines. It was introduced to rapidly identify known threats and enable additional rules to be deployed when new exploits are discovered. Built on a multi-threaded architecture that leverages modern hardware, Suricata enables high performance traffic inspection and quickly processes many rules against large volumes of network traffic. Suricata is compatible with the vast repositories of Snort rules and supports the LUA scripting language so users can create rules to detect complex threats.
By comparison, Zeek was initially designed to be a Swiss Army knife for network metadata monitoring. It monitors traffic streams and produces logs that record everything it understands about the network activity and other metadata that is useful for analyzing and understanding the context of network behavior. Much of the metadata Zeek produces was previously available only from packet capture (PCAP) data. Metadata may also be searched, indexed, queried, and reported in new ways that weren’t possible with PCAP. The Zeek programming language, structured similarly to C++, can be used to calculate numerical statistics, perform regular expression pattern matching, and customize the interpretation of metadata to the specific needs of an organization.
Suricata and Zeek have their own unique strengths, which is why you need both.
- Suricata is far more efficient than Zeek at monitoring traffic for known threats and producing alerts when they are detected. Another benefit is that new threat intelligence is often available first in a format compatible with Suricata.
- Zeek delivers the large volumes of high-quality data needed to provide comprehensive network traffic visibility and context, and enable network baselining, host and service profiling, passive inventory collection, policy enforcement, anomaly detection and threat hunting efforts.
Ideally, organizations would rely on Suricata to rapidly identify attacks where signatures are readily available and use Zeek to provide the metadata and context necessary to successfully triage alerts from Suricata and create comprehensive timelines of the entire threat landscape. The combination of Suricata and Zeek is also highly effective for threat hunting. For example, Suricata might send an alert that a system is compromised and the incident and connections before and after it occurred are recorded by Zeek and can be analyzed to determine if other network communications strengthen or help explain the incident.
For full spectrum threat detection, you need the capabilities Suricata and Zeek provide, plus ML-based malware detection. The Bricata network security platform combines Suricata, Zeek, ML-based malware detection and full PCAP data in one place to deliver comprehensive network detection and response capabilities for cloud, hybrid and on-premises environments.