bringing bro to the enterprise
play

Bringing Bro to the Enterprise Comprehensive Visibility & - PowerPoint PPT Presentation

Dec 25, 2022 •238 likes •644 views

Bringing Bro to the Enterprise Comprehensive Visibility & Response for Every Corner of Your Network Robin Sommer International Computer Science Institute, & Broala, LLC robin@icsi.berkeley.edu robin@broala.com

  1. Bringing Bro to the Enterprise Comprehensive Visibility & Response for Every Corner of Your Network Robin Sommer International Computer Science Institute, & Broala, LLC robin@icsi.berkeley.edu robin@broala.com http://www.icir.org/robin

  2. Outline Bro Overview A production-quality open-source network monitor. A Bit of Bro History From academic research to enterprise deployment. Enterprise Solutions Roadmap for deep visibility and control. 2 Bringing Bro to the Enterprise

  3. The Bro Platform Open Source BSD License Analysis Network Intrusion Vulnerability Traffic Compliance Traffic Control Visibility Detection Management Measurement Monitoring Programming Language Standard Library Platform Packet Processing Tap Network 3 Bringing Bro to the Enterprise

  4. “What Can It Do?” 
 Custom Log Files Alerts Logic “Network ground truth” 4 Bringing Bro to the Enterprise

  5. Bro’s Log Files Rich, structured, real-time activity streams. Network Traffic Logs Bro 5 Bringing Bro to the Enterprise

  6. Connections Logs conn.log Timestamp ts 1393099415.790834 Unique ID CSoqsg12YRTsWjYbZc uid Originator IP 2004:b9e5:6596:9876:[…] id.orig_h Originator Port 59258 id.orig_p Responder IP 2b02:178:2fde:bff:[…] id.resp_h Responder Port 80 id.resp_p IP Protocol tcp proto App-layer Protocol http service Duration 2.105488 duration Bytes by Originator 416 orig_bytes Bytes by Responder 858 resp_bytes TCP state SF conn_state Local Originator? F local_orig Gaps 0 missed_bytes State History ShADafF history Outer Tunnels tunnel_parents Cneap78AnVWoA1yml 6 Bringing Bro to the Enterprise

  7. HTTP http.log ts 1393099291.589208 uid CKFUW73bIADw0r9pl id.orig_h 2a07:f2c0:90:402:41e:c13:6cb:99c id.orig_p 54352 id.resp_h 2406:fe60:f47::aaeb:98c id.resp_p 80 method POST host com-services.pandonetworks.com uri /soapservices/services/SessionStart referrer - user_agent Mozilla/4.0 (Windows; U) Pando/2.6.0.8 status_code 200 username anonymous password - orig_mime_types application/xml resp_mime_types application/xml 7 Bringing Bro to the Enterprise

  8. SSL ssl.log ts 1392805957.927087 uid CEA05l2D7k0BD9Dda2 id.orig_h 2a07:f2c0:90:402:41e:c13:6cb:99c id.orig_p 40475 id.resp_h 2406:fe60:f47::aaeb:98c id.resp_p 443 version TLSv10 cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA server_name www.netflix.com CN=www.netflix.com,OU=Operations, subject O=Netflix, Inc.,L=Los Gatos, ST=CALIFORNIA,C=US CN=VeriSign Class 3 Secure Server CA, issuer_subject OU=VeriSign Trust Network,O=VeriSign, C=US not_valid_before 1389859200.000000 not_valid_after 1452931199.000000 client_subject - client_issuer_subject - cert_hash 197cab7c6c92a0b9ac5f37cfb0699268 validation_status ok 8 Bringing Bro to the Enterprise

  9. Software software.log ts 1392796839.675867 host 10.209.100.2 host_p - software_type HTTP::BROWSER name DropboxDesktopClient version.major 2 version.minor 4 version.minor2 11 version.minor3 - version.addl Windows DropboxDesktopClient/2.4.11 unparsed_version (Windows; 8; i32; en_US; Trooper 5694-2047-1832-6291-8315) 9 Bringing Bro to the Enterprise

  10. Files files.log ts 1392797643.447056 fuid FnungQ3TI19GahPJP2 tx_hosts 191.168.187.33 rx_hosts 10.1.29.110 conn_uids CbDgik2fjeKL5qzn55 source SMTP analyzers SHA1,MD5 mime_type application/x-dosexec filename Letter.exe duration 5.320822 local_orig T seen_bytes 39508 md5 93f7f5e7a2096927e06e[…]1085bfcfb sha1 daed94a5662a920041be[…]a433e501646ef6a03 10 Bringing Bro to the Enterprise

  11. “What Can It Do?” 
 Custom Log Files Alerts Logic “Watch this!” “Don’t ask what Bro can do. “Network Ground Truth” Ask what you want it to do.” Record & trigger actions 11 Bringing Bro to the Enterprise

  12. Typical Deployment Internet 1/10G Border Gateway Bro Logs & Alerts Bro Bro NIC Bro 1/10G Bro Bro System LAN 12 Bringing Bro to the Enterprise

  13. Cluster Deployment Internet 100G Border Gateway Load-balancer 100G 10G 10G 10G 10G Logs & Alerts LAN NIC NIC NIC NIC Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Node Node Node Node Bro Cluster 13 Bringing Bro to the Enterprise

  14. “Who’s Using It?” Installations across the Country BroCon 2015, MIT Universities Research Labs Supercomputing Centers Update Government Organizations Fortune 20 Enterprises Community 50/90/150/180 attendees at BroCon ’12/’13/’14/‘15 110 organizations at BroCon ‘15 Fully integrated into Security Onion 4,500 Twitter followers 1,000 mailing list subscribers Popular security-oriented Linux distribution 100 users average on IRC channel 10,000 direct downloads / version from 150 countries 14 Bringing Bro to the Enterprise

  15. A Bit of Bro History From Academic Research To Enterprise Deployment 15 Bringing Bro to the Enterprise

  16. Bro History Host Context Academic Time Machine Enterprise Traffic Publications Summary Stats HILTI TRW 
 DPI Concurrency State Mgmt. PLC Modeling Bro Cluster 
 Independ. State Shunt NetControl Anonymizer 
 Parallel Prototype Input Framework VAST Active Mapping BinPAC Tor Traffic Backdoors Context Signat. DPD SSL Trust USENIX Paper Stepping Stones 2nd Path Autotuning Relationships 2015 2016 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 v2.4 Broker, v2.2 Plugins, Vern File Analysis v2.0 DTLS/KRB v0.7a90 v1.5 v0.2 v0.6 v0.8aX/0.9aX 
 writes Summary Stats User Experience v1.1/v1.2 Profiling BroControl 1st CHANGES RegExps SSL/SMB 1st line when Stmt State Mgmt entry Login analysis STABLE releases of code v2.1 v2.3 Resource tuning BroLite Bro SDCI IPv6 Performance Broccoli Input Framew. SNMP, DPD Radius, SSL++ v0.4 
 v0.7a175/0.8aX v1.4 v1.0 LBNL starts HTTP analysis Signatures DHCP/BitTorrent BinPAC using Bro Bro Center Scan detector SMTP HTTP entities IRC/RPC analyzers operationally IP fragments 
 IPv6 support NetFlow 64-bit support Linux support User manual Bro Lite Deprecated Sane version numbers v0.7a48 v1.3 0.8a37 Consistent Ctor expressions Communication GeoIP Persistence CHANGES Conn Compressor Namespaces Log Rotation 16 Bringing Bro to the Enterprise

  17. A Tale of Two Users Science & Higher Education Enterprises & Government Happy to experiment. Used to purchasing solutions. Used to open-source software. Require reliable point of contact. Driven by skilled individuals. Avoid dependence on individuals. Limited funding. More flexible budgets. Bro Center of Expertise 17 Bringing Bro to the Enterprise

  18. Enterprise-grade Bro solutions, from the creators of Bro. Commercial Bro support plans. Plug & play Bro appliances. Bro logs and file extraction. Export to Kafka, Splunk, Syslog, SFTP. Aggressively tuned for performance. Zero maintenance, ready for the future. BroBox One Visibility, made elegantly simple. 18 Bringing Bro to the Enterprise

  19. Advantage: Integration With BroBox One we are controlling the full stack. Bro Bro NIC Bro Bro Bro 1 year Bro System We can take integration much further, while maintaining the open-source spirit. 19 Bringing Bro to the Enterprise

  20. Enterprise Solutions Roadmap for deep visibility and control 20 Bringing Bro to the Enterprise

  21. Monitoring Enterprise Environments From perimeter to internal. From standalone to coordinated. From passive to active. Enterprise Network Bro’s open-source roadmap is full of Enterprise functionality to Network support all of this. 21 Bringing Bro to the Enterprise

  22. Monitoring Internal Tra ffi c LBNL’s Pragmatic Approach: The “Internal Cluster” Load-balancer Subnet 2 Subnet 4 Subnet 1 Subnet 3 10G 10G 10G 10G NIC NIC NIC NIC Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Node Node Node Node Bro Cluster 22 Bringing Bro to the Enterprise

  23. Vision: Deep Cluster Example: Geographically distributed organization. Config. & Logs & Bro Global Master Mgmt. Alarms Regional Heads Bro Bro Bro Bro US UK FR CN Local Clusters Bro Bro Bro Bro Bro Bro Bro Bro 23 Bringing Bro to the Enterprise

  24. Foundation: Broker Bro’s new unified communication library. Log forwarding. Public/subscribe. Event exchange. APIs for Bro, C++, C, Python. Global key/value stores. BSD license. http://github.com/bro/broker 24 Bringing Bro to the Enterprise

  25. Global Coordination with Broker Config. & Logs & Bro Mgmt. Alarms Data Store Global Events State Bro Bro Bro Bro Data Data Data Data Store Store Store Store US UK FR CN Bro Bro Bro Bro Bro Bro Bro Bro Global state through persistent data stores. Global correlation through message passing. 25 Bringing Bro to the Enterprise

  26. Bro’s Summary Statistics “Bro’s version of MapReduce.” Observation Reducer Statistical Framework Results & Outputs Sensor 1 Observation Reducer Result Values Tap Notify Master & Poll Summary Observation Reducer Result Merger Result Statistics Predicate Sensor n y Observation Reducer Result f i Merger Result t Trigger o l N l o P & Tap Values Observation Reducer Result Comes with Bro for the classic cluster. Deep Cluster support in planing. 26 Bringing Bro to the Enterprise

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bringing Blockchain to Global Enterprise Ben Taylor, CEO, LedgerDomain Orange County ACM Chapter

Bringing Blockchain to Global Enterprise Ben Taylor, CEO, LedgerDomain Orange County ACM Chapter

Bringing Blockchain to Global Enterprise Ben Taylor, CEO, LedgerDomain Orange County ACM Chapter July 18, 2018 Blockchain: Hyped and Ridiculed How Bitcoins Get Transferred So What Have We Learned from Bitcoin? Human progress is anchoring

1.1k views • 22 slides
Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a

Adit Enterprise. Adit Enterprise. Adit Enterprise. Adit Enterprise. ADIT Enterprise is a wholesale distribution business providing complete range of Electronic Security Systems Kamlesh 093232 51184 Adit Enterprise Adit Enterprise Adit

619 views • 29 slides
Bringing Reactive to Enterprise Java Developers Julien Ponge, Thomas Segismont and Clement

Bringing Reactive to Enterprise Java Developers Julien Ponge, Thomas Segismont and Clement

Bringing Reactive to Enterprise Java Developers Julien Ponge, Thomas Segismont and Clement Escoffier Red Hat Hello! We work on Eclipse Vert.x , a toolkit for writing asynchronous and reactive applications on the JVM 2 Reactive Summit 2018

519 views • 30 slides
Mission Critical Security for your Mission Critical Applications Bringing NonS top to the

Mission Critical Security for your Mission Critical Applications Bringing NonS top to the

Mission Critical Security for your Mission Critical Applications Bringing NonS top to the Enterprise and the Enterprise to NonS top About XYPRO 29 years serving the HP NonS top community S pecialists in Mission

448 views • 19 slides
Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise

Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise

9/20/2012 Enterprise Applications Enterprise Systems Enterprise Systems Also called enterprise resource planning (ERP) systems Suite of integrated software modules and a common central database Collects data from many

460 views • 16 slides
Bringing Web Services to IoTivity Opportunities, Challenges & Approaches Sanjeev BA Open

Bringing Web Services to IoTivity Opportunities, Challenges & Approaches Sanjeev BA Open

Bringing Web Services to IoTivity Opportunities, Challenges & Approaches Sanjeev BA Open Source Group Samsung Electronics Background Vertical Domains (Health, Manufacturing, Education, Consumer) Consumer Services Enterprise Services

642 views • 46 slides
Bringing Our Children Home Act and Five Nations Template Laws on Children and Families Bringing

Bringing Our Children Home Act and Five Nations Template Laws on Children and Families Bringing

Bringing Our Children Home Act and Five Nations Template Laws on Children and Families Bringing Our Children Home National Conference Breakout session November 25-27, 2019 Manitoba Specific Federal Legislation, Bringing Our Children Home Act

178 views • 16 slides
Gillian Dick - Glasgow City Council Bringing cities to life, Bringing life into cities.

Gillian Dick - Glasgow City Council Bringing cities to life, Bringing life into cities.

Gillian Dick - Glasgow City Council Bringing cities to life, Bringing life into cities. Co-funded by the Horizon 2020 Framework Programme of the European Union EU Goals for Nature based solutions. urban regeneration improved

312 views • 28 slides
Enterprise Architecture: The Next 20 Years Dr. John Gtze Enterprise Architecture? A

Enterprise Architecture: The Next 20 Years Dr. John Gtze Enterprise Architecture? A

Enterprise Architecture: The Next 20 Years Dr. John Gtze Enterprise Architecture? A discipline A profession A mindset EA s purpose: Line of sight Strategy Technology Business 4 EA = The analysis and documentation of an enterprise

607 views • 60 slides
Bringing Shrek to Life: Software Bringing Shrek to Life: Software Testing at DreamWorks Testing

Bringing Shrek to Life: Software Bringing Shrek to Life: Software Testing at DreamWorks Testing

W6 Concurrent Session Wednesday 10/24/2007 1:45 PM JUMP TO: Biographical Information The Presentation Bringing Shrek to Life: Software Bringing Shrek to Life: Software Testing at DreamWorks Testing at DreamWorks Presented by: Anna Newman,

908 views • 32 slides
Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise

Enterprise 2.0 impact on software development Martin Nally, CTO IBM Rational What is Enterprise 2.0? Enterprise 2.0 is the term for the technologies and business practices that liberate the workforce from the constraints of legacy

378 views • 36 slides
Division on Investment and Enterprise UNCTAD The views expressed are those of the author and do

Division on Investment and Enterprise UNCTAD The views expressed are those of the author and do

INVESTMENT, ENTERPRISE AND DEVELOPMENT COMMISSION 7 th Session Palais des Nations, Geneva 20 April 2015 Recent Trends and Policies in Investment and Enterprise Development Statement by James Zhan Director Division on Investment and Enterprise

108 views • 10 slides
www.enterprisemetals.com.au Enterprise Metals Limited Enterprise Metals Limited 203.22

www.enterprisemetals.com.au Enterprise Metals Limited Enterprise Metals Limited 203.22

Enterprise Metals Limited Investor Presentation 16 February 2012 www.enterprisemetals.com.au Enterprise Metals Limited Enterprise Metals Limited 203.22 million shares Issued Capital Share price $0.16 (close 15 Feb 2012) $32.5

693 views • 19 slides
Scaling Agile to the Enterprise Enabling the Agile Enterprise Strategically Aligned, Throughput

Scaling Agile to the Enterprise Enabling the Agile Enterprise Strategically Aligned, Throughput

Scaling Agile to the Enterprise Enabling the Agile Enterprise Strategically Aligned, Throughput Focused, Human Powered Dennis Stevens Enterprise Agile Coach www.leadingagile.com OPM3: Deputy Project Manager www.dennisstevens.com PMI Agile

851 views • 71 slides
INBOUND PRODUCT UPDATES Index of Announcements New & Improved Enterprise Products

INBOUND PRODUCT UPDATES Index of Announcements New & Improved Enterprise Products

VIDEO Brisbane HUG - Q3 2018 INBOUND PRODUCT UPDATES Index of Announcements New & Improved Enterprise Products Enterprise Suite Features The Updated Marketing Hub Enterprise The New Sales Hub Enterprise The New

823 views • 47 slides
Very Common Interview Question: What does Enterprise Value mean? / What is Enterprise

Very Common Interview Question: What does Enterprise Value mean? / What is Enterprise

Very Common Interview Question: What does Enterprise Value mean? / What is Enterprise Value ? Most Common, Incorrect Answer: Equity Value + Net Debt Youll see this in interview guides, online tutorials, quick

221 views • 3 slides
ECE590-03 Enterprise Storage Architecture Fall 2016 Introduction Tyler Bletsch Duke University

ECE590-03 Enterprise Storage Architecture Fall 2016 Introduction Tyler Bletsch Duke University

ECE590-03 Enterprise Storage Architecture Fall 2016 Introduction Tyler Bletsch Duke University Slides include material from Vince Freeh (NCSU) Average persons view of storage 2 Average engineers view of storage 3 A few enterprise

437 views • 19 slides
A DevOps State of Mind Chris Van Tuin Chief Technologist, West cvantuin@redhat.com In short,

A DevOps State of Mind Chris Van Tuin Chief Technologist, West cvantuin@redhat.com In short,

A DevOps State of Mind Chris Van Tuin Chief Technologist, West cvantuin@redhat.com In short, software is eating the world. - Marc Andreessen, Wall Street Journal, August 2011 2 UBER, LYFT FALLOUT: TAXI RIDES PLUNGE 65% IN SAN FRANCISCO

742 views • 38 slides
Substitute x A x = x cos ( ) - y sin ( ) x 1 0 x 0

Substitute x A x = x cos ( ) - y sin ( ) x 1 0 x 0

University of British Columbia Final Final Emphasis Sample Final CPSC 314 Computer Graphics exam notes covers entire course post-midterm topics: solutions now posted Jan-Apr 2013 Spring 06-07 (label was off by one)

233 views • 9 slides
EMT 368 Reliability and Testability in Integrated Circuit Design School of Microelectronic

EMT 368 Reliability and Testability in Integrated Circuit Design School of Microelectronic

EMT 368 Reliability and Testability in Integrated Circuit Design School of Microelectronic Engineering UniMAP A. Harun 1 Course content Reliability and availability concept Robust design principle Time and failure dependent

786 views • 32 slides
EFP 2.0: A MULTI-AGENT EPISTEMIC SOLVER WITH MULTIPLE E-STATE REPRESENTATIONS 30 th International

EFP 2.0: A MULTI-AGENT EPISTEMIC SOLVER WITH MULTIPLE E-STATE REPRESENTATIONS 30 th International

EFP 2.0: A MULTI-AGENT EPISTEMIC SOLVER WITH MULTIPLE E-STATE REPRESENTATIONS 30 th International Conference on Automated Planning and Scheduling Francesco Fabiano , Alessandro Burigana, Agostino Dovier and Enrico Pontelli University of Udine

580 views • 31 slides
What Happened at the Global Fund Replenishment? Join at https://results.zoom.us/j/510407386. Or by

What Happened at the Global Fund Replenishment? Join at https://results.zoom.us/j/510407386. Or by

October 2019 Global Grassroots Webinar What Happened at the Global Fund Replenishment? Join at https://results.zoom.us/j/510407386. Or by phone at (669) 900-6833 or (929) 436- 2866, meeting ID 510-407-386 Closed captioning:

330 views • 21 slides
Finite State Machines Hakim Weatherspoon CS 3410 Computer Science Cornell University

Finite State Machines Hakim Weatherspoon CS 3410 Computer Science Cornell University

Finite State Machines Hakim Weatherspoon CS 3410 Computer Science Cornell University [Weatherspoon, Bala, Bracy, McKee, and Sirer] Stateful Components Combinationial logic Output computed directly from inputs System has no internal

881 views • 50 slides
8: Hidden Markov Models Machine Learning and Real-world Data Simone Teufel and Ann Copestake

8: Hidden Markov Models Machine Learning and Real-world Data Simone Teufel and Ann Copestake

8: Hidden Markov Models Machine Learning and Real-world Data Simone Teufel and Ann Copestake Computer Laboratory University of Cambridge Lent 2017 Last session: catchup 1 Research ideas from sentiment detection This concludes the part about

556 views • 21 slides

More recommend