FloCon 2017

Network security monitoring has been around for decades, but the data generated from high volume sources such as cloud, mobile and IoT creates a brand new set of challenges. This presentation will explore how companies can begin to fix these visibility issues using the Bro
open-source network security monitoring framework to perform dynamic targeted logging and enable the cyber hunting mission.

Too often, network admins are forced to choose between a thorough analysis or a fast analysis. With the ability to manually review 10, 100 or even 200 potential events per day, an admin's bandwidth is stretched thin, leaving many opportunities for error. Coupled with the high volume of data from modern sources, there is a lack of confidence that traditional detection methods will catch every threat.

Instead of manually searching PCAP logs or summarizing network traffic with NetFlow, Bro allows organizations to gather detailed metadata on network traffic from multiple protocol layers. Bro can be leveraged to look for events that occurred within the last 6 months to last 6 minutes, thus enabling the cyber hunter's mission. By combining targeted logging with ability to filter, analyze and enrich with potential indicators of compromise, analysts get more information to prioritize and respond. With targeted logs, automated analysis becomes both more feasible and effective than traditional full-take log anomaly detection.

Combined with the right cyber hunting approach, analysts can gain new visibility into threats that have existed in the network for a long time or focus on catching threats near the moment of compromise. Our approach allows you to automate the process of sifting through months of data to find evidence of a breach.

Attendees will learn how to solve the high volume data issue associated with network monitoring and become more efficient cyber hunters. We will walk through several examples of where targeted logging clearly discovers and confirms malicious activity, and will show examples of Bro logging, filtering and automated analysis techniques used and discuss real-word use cases accompanied by statistical information demonstrating data reduction.