ZeekWeek is an annual conference centered on Zeek – an open-source network security monitoring technology. The conference starts today and runs through Friday. Bricata is a proud member of the Zeek community and an avid supporter of ZeekWeek 2019.
If you are attending, we’d welcome the chance to speak with you and show you how we’ve integrated Zeek into our platform. In the meantime, here are a few things network security professionals should know about Zeek.
1) Zeek is a little known but powerful network security tool.
The technology has been around for about two decades now, but it hasn’t yet gained the awareness to match its age. Security professionals familiar with Zeek will attest, that it’s one of the most powerful network security tools you never heard of.
In an interview with us last year (before the name was changed), Michal Purzynski, a member of the Zeek leadership team and a staff security engineer for Mozilla, underscores three capabilities about Zeek that make it so powerful:
“First, Bro [Zeek] is like a time machine that lets you look back at what happened before or during an incident.
Second, it is an event-driven engine that is used to create arbitrary programs to analyze your network data.
Third, it’s the best threat intelligence detection machine available. With Bro [Zeek], you can look for threats the intelligence has identified in ways you did not think you could – and in ways that a traditional IDS cannot. You can look at protocols, at headers and domain names in an HTTP call or in certificates, for example.”
2) Zeek is well-suited to threat hunting.
If you attend a session on threat hunting, there’s a good chance Zeek will come up as a useful tool at some point. For example, the team lead for threat hunting at Walmart mentioned Zeek in his session at the RSA conference. In addition, we had the good fortune of hosting a leading expert on threat hunting for a webinar – and Zeek had a cameo in his presentation too.
Here’s a good explanation:
“Zeek is an intrusion detection system that works differently from other systems because of its focus on network analysis. While rules-based engines are designed to detect an exception, Zeek looks for specific threats and trigger alerts.
While Zeek IDS can certainly be used as a traditional IDS, users more frequently use Zeek to record detailed network behavior. For example, it can be used to keep long-term records of all HTTP requests and results – or tables correlating MAC and IP addresses.
Zeek stores the network metadata it records more efficiently than packet captures, which means it can be searched, indexed, queried, and reported in ways previously unavailable. This makes Zeek especially well-suited for network anomaly detection and threat hunting.”
3) Zeek can support cybersecurity knowledge management.
When an organization loses an analyst – to another employer – there’s a wealth of institutional knowledge that goes with that person. This often includes a deep understanding of the IT environment, nomenclature and unique threats facing the business.
We were able to use Zeek to build a module that helps address this challenge with a technical solution:
“The idea is to put a labeling capability at the fingertips of an analyst and within the network analysis tool, they are already using. This provides a concise way for analysts to share their knowledge about an environment. In other words, it’s using asset inventory as a means to capture knowledge about that IT environment and more importantly, the purpose of each device, box or host.”
What benefit does that provide? The labeling capability allows defenders to conduct more sophisticated threat detection and network analysis because “those labels are married with network data the Zeek framework is already generating.”
Here’s a case in point:
“If you are an analyst examining an IP address, you can’t make assumptions about what types of behavior – connections and protocols – that machine should or should not be using. However, if another analyst previously labeled that machine as a Microsoft SQL database server, you now have the context to discern what is normal and what is suspicious or even a clear threat. Simply stated, these labels are used to enrich and fuse data sets to provide analysis that wouldn’t be possible otherwise.”
4) Zeek can help analysts identify threats in encrypted traffic.
Encryption both has benefits and drawbacks. On one hand, it boots user privacy in communications, but on the other, that can be exploited by threat actors. Many security analysts have lamented the loss of network visibility with the adoption of encryption.
Here again, Zeek can help. First, to be clear, Zeek cannot help you read the contents of encrypted traffic. What it can do is enable defenders to analyze network metadata to look for threat indicators:
“Every network transaction, even those that are encrypted – like a website call or a web request – has data that describes it: originating IP address, destination IP address, the network protocol being used (HTTPS), the number of packets sent and the byte count, among potentially hundreds of other attributes. These attributes can be examined to help identify threats or potential threats in several ways.”
Some of the techniques for analyzing those attributes include:
- Monitoring traffic flow for network anomalies;
- Identifying anomalies related to your organizations use of encryption; and
- Profiling threat actor encryption behaviors.
5) Zeek has the flexibility to meet specific needs across verticals.
Zeek is exceptional at helping to detect behavioral anomalies on a network: a server that starts calling hosts it never has called before – or begins using a network protocol that is unusual. That’s a common and broad case study, so here are a few industry-specific use cases that highlight the flexibility of Zeek and how it can be tailored to unique environments:
- Zeek in retail. Zeek can be configured to monitor point-of-sale (POS) systems to characterize the normal pattern of traffic to and from POS terminals – and identify when those patterns deviate. This can be used to flag potential problems sooner, and in the event of a compromise, understand the effects on data and scope of impact.”
- Zeek in energy. Energy companies ordinarily employ supervisory control and data acquisition (SCADA) – an air-gapped IP-based control system – where network transactions tend to fall into a consistent pattern. Zeek is often used to establish a baseline for normal network activity and develop scripts to identify deviations.
- Zeek in healthcare. Zeek captures metadata about the network transactions and its “programming language can be used to write scripts to interpret when metadata contains information suggesting PHI is potentially leaving the network.”
* * *
Are you headed to ZeekWeek 2019 in Seattle? If so, please do stop by the expo floor on October 8th through October 11th and let us show you how we’ve integrated Zeek and other detection tools on our platform. Alternatively, if aren’t attending but would like to see our solution in action, you are welcome to schedule a live demonstration.
If you enjoyed this post, you might also like:
6 Common Flaws that Can Emerge in a Network Security Strategy Over Time