Tuesday, October 8, 2019

ZeekWeek Q&A with the Community: Bricata

by Amber Graner, Zeek Director of Community

As ZeekWeek gets underway, we wanted to find out what’s new among members of the Zeek Community. Accordingly, we had a chance to catch up with the Bricata team.

Bricata is a contributor to the Zeek community, and supporter of ZeekWeek as the exclusive sponsor of the Welcome Reception for the 2019 event.

1. For those who are new to the network security monitoring (NSM) space can you tell people about Bricata?

Bricata: Bricata is laser-focused on empowering security analysts to hunt effectively. The platform provides analysts with the tools they need to adequately respond to network threats and provide comprehensive network protection. Bricata gives security teams the capabilities to do things like:

  • Obtain network visibility quickly to thoroughly understand what’s taking place in their environment
  • Respond to alerts and understand their context. Alerts are triggered by our multiple threat detection engines, including Zeek; Suricata; IOC matching, and AI-based binary conviction
  • Hunt for zero-day threats using Zeek-generated metadata and PCAPs and develop countermeasures against future attacks

From a workflow perspective, Bricata is especially well-suited to threat investigation and hunting. That means the platform provides a streamlined approach to foraging through network data and developing insight. It’s the metadata produced by Zeek that provides the context for investigating alerts and taking action with the platform.

Flexibility is an important principle here. Bricata gives security organizations the flexibility to customize and enrich the network metadata so that it’s meaningful within the context of their specific environments and use cases. In addition, our dashboard and visualization tools can be easily tailored to an individual analyst’s preferences.

2. Why is ZeekWeek and the Zeek Project important to Bricata?
Bricata: ZeekWeek is a time for everyone in the community to get together. We’ve found it to be a very devoted group of people sharing their experiences working with Zeek and sharing how they’ve worked out solutions to difficult, but common challenges.

In the past, we’ve used this opportunity to share successes we’ve had with the Zeek Project in the context of our solution and our customers’ use of Zeek. For example, we previously released a labeling module to the community, which provides a way for analysts to share their knowledge about the environment. Those labels are matched with network data that Zeek is generating, which in turn enables more sophisticated threat detection and network analysis.

We expect to see a lot of focus on machine learning this year with Zeek-produced datasets and particularly how people are optimizing their use and management of it. That’s important because network speeds keep getting faster and unconstrained, Zeek is known to produce a high volume of data.

3. What can attendees expect to learn if they visit your booth at ZeekWeek?

Bricata: Visitors will see just how easy we’ve made it to deploy and use Zeek in their environment. They can stand it up and get usable network visibility very quickly. This allows them to easily incorporate it into their IT infrastructure and security operations.

Secondly, people that haven’t seen the solution in a while will find some of the most recent enhancements we’ve made for our customers interesting. For example, as members of the community know, Zeek can generate a wealth of metadata. While that’s useful, it can also be overwhelming, so we’ve incorporated fine-grain filters that permit security teams to precisely control the Zeek logs they require. This ability prevents the costly processing and storage of unnecessary metadata.

Finally, and this one of the benefits of the community, we’ve adopted the 5-tuple Community ID hash. We’re using it to help consolidate similar alerts under a single grouping as a means to reduce the alert fatigue the SOC can sometimes experience. Bricata is bullish on the Community ID because we see it as an up-and-coming standard that will enable seamless interoperability with other security solutions.

4. What else would you like attendees to know about that I haven't asked you about?
Bricata: Fly-Away kits are one of the initiatives we have that extends beyond the traditional use cases for NSM. Zeek is an integral part and here are a couple examples:

  • We’ve partnered with a solution provider that makes network taps to develop a portable flyaway kit for incident response. This brings visibility to environments that are not properly instrumented, or where the response team is unfamiliar with the environment.
  • We’re continuing to build traction among service providers who provide digital forensics and incident response (DFIR). Their teams are using our platform when deployed to dynamic situations like data breaches, insider threats, or any sort of suspected malicious network activity. It helps incident responders quickly understand what is happening on a network, detect threats and facilitate the incident response process.

* * *
ZeekWeek 2019 attendees interested in learning more about Bricata should look for their display on the exhibition floor. In addition, you can check out their website, and stay in touch on LinkedIn or Twitter.

Friday, October 4, 2019

Zeek, Corelight and Humio help make observability accessible

Guest post by Humio

We’re proud to have Humio on board as the exclusive training sponsor for ZeekWeek 2019. As a thought leader in the observability space, Humio has a deep understanding of making observability accessible, comprehensive, and affordable.

Humio can help you efficiently visualize and get answers from the Zeek log volumes that Corelight sensors generate. By pairing Corelight’s deep network monitoring and logging with Humio’s fast and affordable log management technology, you’ll get accurate answers to critical security and IT questions more quickly and more easily than you thought possible.

Humio shares their thoughts about how the need for comprehensive observability is driving a cultural shift.

Our industry is moving at lightning speed towards distributed service-driven architectures, and engineers are on a quest to improve how they observe their systems as a whole. Adoption of microservices and containerized architectures has elevated the need for developers and operations teams to use observability solutions to correlate events, identify threats, and troubleshoot problems. From a business value point of view, managers want observability solutions that allow them to keep calm when their software infrastructure and services are hit with incidents or failures.

Many organizations adopt a combination of log management, metrics, and tracing solutions for observability across their infrastructure. We have found that just having these tools isn’t enough to ensure that engineering teams are able to reap value from them. A cultural shift is required.

Excerpt from O’Reilly’s Distributed Systems and Observability Book by CindySridharan 
“As my friend Brian Knox, who manages the Observability team at DigitalOcean,
“The goal of an Observability team is not to collect logs, metrics, or traces. It is to
build a culture of engineering based on facts and feedback, and then spread that
culture within the broader organization. 
“The same can be said about observability itself, in that it’s not about logs, metrics,
or traces, but about being data-driven during debugging and using the feedback to
iterate on and improve the product.”

As Brian Knox and Cindy Sridharan mention in the excerpt above, observability is about having an engineering culture that values facts and feedback, “being data driven” during debugging, and using this mindset to iterate, improve, and solve problems.

At Humio, we meet many teams that have yet to access the full value they could get from their log data. This isn’t because they don’t have or want a “data driven” observability engineering culture, but rather that their current log solution restricts them from being able to.

Commonly, teams encounter three restrictions with their log solutions:

1. Volume: Modern organizations generate large amounts of unstructured log data — a lot of time is spent on limiting or deciding what data to send to the system. 
2. Speed: Slow queries and latency between index and search phases take too long. Ultimately, the data isn’t available fast enough. 
3. Simplicity: Logging solutions that are not easy to use, query, deploy, or manage result in limited use or frustration using them.

Data-driven Log Management

Our approach at Humio is to remove these restrictions, so data-driven observability teams can gain more value from their log data. We encourage engineers to send all relevant log data, and for all the data to be accessible. Limiting data based on what a logging solution can handle is restrictive, and often it is the logs that were left out that create frustrating debugging scenarios.

Humio is built to scale linearly, and efficiently store data so users aren’t wasting their compute resources. These days, speed matters, and by using real-time streaming capabilities for querying and dashboards, Humio superpowers live system visibility for engineers. Our CTO, Kresten Krab Thorup, wrote a blog post to explain how Humio scales and handles data.

For data-driven logging to succeed, engineering teams should use it for the value it provides. Humio’s query language and ease of use speeds adoption past just the Ops team to the developer organizations, making it a shared solution for everyone. For example,Lunar Way’s developer-driven ops uses Humio across both its development and operations team.

Observability Site License

Humio’s approach to logging is valuable for both small- and large-volume users. For teams with large logging volumes (multi TB/day), Humio software is available On-Premises at a fixed annual site license price. This enables companies to access large log volumes without volume-based licensing costs or extra manpower required in running complicated cluster logging environments. With this model, organizations can add instances and scale up as their data volumes grow or burst. For observability or infrastructure teams who want to deploy multi-tenant logging infrastructures across teams within an organization, Humio can provide simple pricing.

At Humio, we believe in the value of data-driven logging, and the benefits companies derive from this in their observability stack. With a unique product and simple pricing, Humio is on a mission to bring this value to engineering teams who’ve been struggling until now.

Thursday, October 3, 2019

ZeekWeek 2019 - Thank you to our sponsors

The Zeek Project Leadership Team (LT) would like to thank all of the ZeekWeek 2019 sponsors for their generous support. Without their ongoing support ZeekWeek would not be possible.

ZeekWeek is the most important community event for users, developers, incident responders, threat hunters and architects who rely on the open-source Zeek network security monitor as a critical element in their security stack.

If you want to meet with the Zeek Leadership team, core maintainers or our sponsors, registration is still open.

We look forward to seeing you all and our sponsors in Seattle on 8-11 October.

This year’s sponsors include:




40 GIG

10 GIG

Hosted by: