The program consisted of talks by the Bro development team and external contributors from science and industry:
Vern Paxson (Corelight, UC Berkeley, ICSI)
Vern Paxson is a professor of Computer Science at UC Berkeley, the head of the Networking and Security research group at the International Computer Science Institute, and co-founder and Chief Scientist of Corelight, Inc. He has been working on the Bro Project for as long as that was possible!
Robin Sommer (Corelight, ICSI)
This talk will give a overview of Bro’s approach & architecture, and showcase a few typical use cases. We’ll see how Bro provides deep visibility into a network’s traffic through rich, real-time log streams. We’ll discuss Bro’s event-based, policy-neutral architecture that provides the foundation for developing powerful custom analyses through Bro’s domain-specific scripting language. We’ll conclude with a look at the Bro Package Manager, which makes it easy to share custom scripts with the broader Bro community.
Robin Sommer is leading Bro’s open-source development team. He’s the CTO, and a co-founder, of Corelight, a recent startup bringing Bro’s capabilities to enterprise environments. Robin is also a Senior Researcher at the International Computer Science Institute in Berkeley; as well as an affiliated researcher at the U.S. Department of Energy’s Berkeley Lab.
Digging through Logs with Seth
Seth Hall (Corelight)
Using Bro for operational security in distributed computing: The WLCG Security Operations Center
Liviu Valsan (CERN) & David Crooks (STFC)
The modern security landscape for distributed computing in High Energy Physics (HEP) includes a wide range of threats employing different attack vectors. The nature of these threats is such that the most effective method for dealing with them is to work collaboratively, both within the HEP community and with partners further afield - these can, and should, include institutional and campus security teams. In parallel with this work, an appropriate technology stack is essential, incorporating current work on Big Data analytics.
The work of the Worldwide LHC Computing Grid (WLCG) Security Operations Center (SOC) working group is to pursue these goals to form a reference design (or guidelines) for WLCG sites of different types. The strategy of the group is to identify necessary components - starting with threat intelligence (MISP) and network monitoring (Bro) - and build a working model over time.
We present on the progress of the working group thus far, in particular on the programme of workshops now underway. These workshops give an opportunity to engage with sites to allow the development of advice and procedures for deployment, as well as facilitating wider discussions on how to best work with trust groups at different levels. These trust groups vary in scope but can include institutes, NGIs and the WLCG as a whole.
Liviu Valsan holds a Bachelor degree in Computer Science and a Masters degree in IT Project Management. Before joining CERN he worked as a Software Engineer and Project Manager inside a dynamic Romanian IT start-up, while taking a position of Teacher Assistant with Politehnica University Bucharest.
He started working at CERN in 2008 as a Software Engineer and System Administrator with the ATLAS experiment at the Large Hadron Collider (LHC). Liviu joined CERN openlab in 2012 as a staff Software Engineer, taking an active role in the research and development efforts inside the Platform Competence Centre. CERN openlab is a unique public-private partnership that works to accelerate the development of cutting-edge ICT solutions for the worldwide LHC community and wider scientific research.
In 2013 Liviu joined the CERN IT Procurement Team where he was responsible for reliable procurement of complex server and storage systems (thousands of compute servers and tens of petabytes of storage).
Since 2015 he's part of the CERN Computer Security Team, leading the design and implementation of an integrated Security Operations Centre, built on top of Big Data technologies and able to cope with 5 TB of data / day.
David Crooks is the Security Officer for the GridPP project, which provides the UK contribution to the Worldwide LHC Computing Grid (WLCG) as well as supporting other communities. He is a member of the EGI CSIRT, which coordinates operational security activities within the EGI Infrastructure, in particular being a member of the Incident Response Task Force and Software Vulnerability Group.
In addition, David is co-chair of the WLCG Security Operations Centres (SOC) Working Group, along with Liviu Valsan. This group is primarily tasked with providing guidance to WLCG sites on deploying security tools such as the threat intelligence sharing platform MISP as well as, in particular, Bro.
Writing Analyzers with Bro
Vlad Grigorescu (ESnet)
Adding support for a new protocol or file format is one of the most powerful way of extending Bro's capabilities -- but it can also be a daunting task. This talk will walk through the tools, techniques and documentation for adding support for both a new network protocol, and a new file format.
Vlad Grigorescu is a Security Engineer at the Energy Sciences Network ("ESnet") in Berkeley, CA. His main responsibility is designing, developing and deploying custom solutions for: network monitoring, threat mitigation, incident response automation, and log collection and aggregation. Vlad has contributed a number of protocol analyzers to Bro, including: Kerberos, MySQL, and RADIUS.
Intrusion Detection with Bro in an Enterprise Environment: A Berkeley Lab Approach
Aashish Sharma (LBNL)
The focus of this presentation is to provide insights into how some of the most interesting security incidents results in setting up a comprehensive monitoring infrastructure at Berkeley Lab. We will describe how we use Bro to discover security incidents, our team’s response and the lessons learned. By presenting deployment of Bro in a way that demonstrates the architecture and approaches of how security can be done better, we hope to provide IT security practitioners and leaders better ways to detect, investigate and discuss their own incidents using Bro. We focus on our detection methods and how new incidents feed back into our monitoring techniques.
Bro vs Suricata: Two Approaches to Network Security Monitoring
Christian Kreibich (Corelight)
To analysts with traditional IDS background Bro's operational model is often confusing. To clear things up, this talk presents an in-depth comparison of Bro to the dominant "other" open-source IDS, Suricata. I will cover the basic notions of policy-neutral analysis vs. misuse detection, both systems' architectures, recent features that blur the line between the two, and explore why Bro and Suricata are often deployed jointly.
An engineer at Corelight, Christian helps commercialize one of his first NSM loves: the Bro network monitor. Prior to Corelight he lead the networking team at Lastline. He’s also a researcher in the Networking Group at the International Computer Science Institute in Berkeley, and has served on the OISF advisory board.
Bro for SSL Research
Johanna Amann (ICSI, Corelight, LBNL)
Bro @ KIT
Jan Grashöfer (KIT), Christian Titze (KIT) & Matthias Grundmann (KIT)
The Decentralized Systems and Network Services Research Group (DSN) makes use of Bro in context of current research and contributes to the project. This talk will provide an overview over the group's recent activities including:
- Research on probabilistic data structures to improve Threat Intelligence matching
- Research on security implications of monitoring performance
- Recent studies on ransomware detection in academic environments
Jan Grashöfer and Matthias Grundmann are scientific staff members in the Decentralized Systems and Network Services Research Group. Christian Titze is a student at KIT and has just finished his Master Thesis conducting a security-oriented performance analysis of Bro.
Bro-Osquery: Let Bro know about the hosts it monitors
Steffen Haas (University of Hamburg)
Bro as a powerful network monitoring tool enables comprehensive analysis of the communication in your network. However, these capabilities can only be used as long as Bro has full vision on the network traffic. Nowadays, more and more traffic is encrypted and also attacks become more and more sophisticated. This results in many security-related incidents being not recognized as long as monitoring and intrusion detection is limited to network traffic.
The intention of bro-osquery is to collect host and network data by a common platform and to provide the ability to correlate them for network monitoring and intrusion detection. When monitoring either hosts or the network alone, the other one is a blind spot in your monitoring. But when monitoring both, information from hosts and network can perfectly complement each other. With their correlation, you gain more detailed knowledge about the activities of hosts and achieve a better visibility on the complete network infrastructure. The principle of correlation is to link host information for processes that emit traffic with network information for the corresponding packets.
In bro-osquery we implement this concept for the host monitor osquery and the Bro network IDS. By establishing a bi-directional publish-subscribe communication between osquery hosts and Bro, they can directly exchange data, i.e., SQL queries and their results. We provide a framework of Bro scripts that allows to run custom queries against all, individuals, or specific groups of hosts. Bro dynamically controls the query schedule of the hosts, retrieves and processes the corresponding data, and it can even asynchronously query hosts on demand for additional data.
Steffen Haas is a PhD student in the IT-Security and Security Management research group at the University of Hamburg since 2016. Previously, he worked as a reasearch assistant at the University of Muenster from 2015 to 2016. Steffen received his Master degree at the TU Darmstadt in 2015 and graduated from the Baden-Wuerttemberg Cooperative State University in 2013. His research interests are various aspects of cyber-security, especially threats and appropriate countermeasures related to computer networks. His current research focuses on monitoring of P2P-botnets, collaborative intrusion detection and alert correlation in distributed systems.
Enhance Encrypted Network Telemetry
Jeff Atkinson (Salesforce)
Network traffic encryption has become common place for the internet and adversaries. Adversaries are hiding within the SSL/TLS profile of networks. This talk will address some of the problems with current detection methods along with techniques on how to enhance SSL/TLS encrypted traffic telemetry, including the JA3 fingerprint.
Jeff Atkinson is a security researcher with almost two decades focused in Information Security. He brings a unique perspective on defense strategies with a strong background in Incident Response, Threat Intelligence, and Malware Analysis. While working in both public and private sectors, including Fortune 50 companies, he deployed scalable custom network monitoring solutions, always including his favorite tool, Bro. He is one of the original creators of the JA3 fingerprint technique.