Operations

6/14/2018
10:00 AM
Greg Bell
Greg Bell
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Meet 'Bro': The Best-Kept Secret of Network Security

This often overlooked open source tool uses deep packet inspection to transform network traffic into exceptionally useful, real-time data for security operations.

The 1990s was a terrific era for open source software. As the World Wide Web exploded in size, the scaffolding of the early Internet was taking shape … and it's hard to imagine that happening without the brilliant developers who gave us Linux, FreeBSD, Apache, Perl, MySQL — and countless other projects. The same decade also brought us grunge music, Game Boys, and Doc Martens! but those early open source tools had a larger impact: they changed the world in ways we're still grappling with.

Not surprisingly, several classic open source security projects date from exactly the same era: Snort, Wireshark, Nessus, Bro.

Here's a bet: if there's a name on that list you've only vaguely heard of, I bet it's "Bro."

I first encountered Bro in 2001, when I joined Lawrence Berkeley National Laboratory (LBNL) as a network engineer. One of my first jobs was to integrate Bro with our new border router. In that process, I learned that the tool had been created at LBNL five years earlier by Vern Paxson, then a graduate student, now an eminent computer scientist and security researcher at UC Berkeley. Vern's classic paper on Bro is here.

Vern named the project in homage to George Orwell's dystopian novel 1984, as a reminder that network monitoring can be a double-edged sword: increasing security, but also facilitating surveillance in the wrong hands. Since that time, "Bro" has developed other connotations, and last year the project's leadership kicked off a process for changing the name that hasn't yet concluded.

In a nutshell, Bro transforms network traffic — in all its volume, variety, and downright weirdness — into exceptionally useful real-time data for security operations. Through deep packet inspection, Bro can extract hundreds of security-relevant fields from dozens of protocols and present them in a way that makes sense to security operations center engineers.

By default, Bro doesn't have an opinion about the traffic it processes. This basic architectural principle sometimes confuses people. Bro doesn't decide whether your traffic is good or bad; it just doggedly parses dozens of protocols and records what it sees, generating rich, actionable data that makes the work of incident response and threat hunting up to 20 times faster. In fairness, that's a simplification, because Bro is also an application framework well-suited to the development of sophisticated behavioral detections ... but many fans of the open source project appreciate the value-neutral data above all else.

Bro initially thrived in the national laboratory system and in research universities because network visibility was so important to these institutions. They had the world's fastest networks, thousands of endpoints that were effectively unmanageable, and users who participated in an ever-shifting pattern of global research. Standard-issue firewalls weren't feasible or affordable in such environments. Instead, their security teams developed compensating techniques for monitoring networks, with Bro at the heart of it all.

In time, global enterprises began to adopt Bro as well. The addition of excellent SMB protocol parsing accelerated that trend, as did better documentation and a formal Bro Center funded by the US National Science Foundation. Right now, thousands of organizations worldwide rely on Bro, including some of the world's largest companies and mission-critical government agencies. As BSD-licensed technology, Bro is also incorporated into numerous commercial products.

Security professionals love Bro because it creates exceptional data that helps them get their jobs done faster. But beyond that, Bro data improves all of the tools it feeds (SIEM systems, analytics pipelines, automation platforms, etc.). As security threats become existential for so many organizations, better data is key to addressing risk, because it drives improvements throughout the security life cycle.

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information.

Before joining Corelight as CEO, Greg served in a series of leadership roles at Lawrence Berkeley National Laboratory: director of the scientific networking division, director of the US Department of Energy's high performance mission network ESnet, and chief technology ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Todd Hartgrove
50%
50%
Todd Hartgrove,
User Rank: Apprentice
6/21/2018 | 5:27:52 AM
Re: Surprisingly Unkown
I absolutely agree. Real-time analysis will be required in the future
RobiP
100%
0%
RobiP,
User Rank: Strategist
6/14/2018 | 3:37:33 PM
Surprisingly Unkown
I am marveled at both how many well read security professionals are not aware of Bro's benefits as well as the untapped potential of both the data and scripts that Bro offers.  Unique, bespoke data is extremely valuable and reat-time analytics is just beginning to take hold.

Go, Bro, Go!
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
How Well Is Your Organization Investing Its Cybersecurity Dollars?
Jack Jones, Chairman, FAIR Institute,  12/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1817
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 150021.
CVE-2018-1818
PUBLISHED: 2018-12-13
IBM Security Guardium 10 and 10.5 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 150022.
CVE-2018-1821
PUBLISHED: 2018-12-13
IBM Operational Decision Management 8.5, 8.6, 8.7, 8.8, and 8.9 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 150170.
CVE-2018-1886
PUBLISHED: 2018-12-13
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system. IBM X-Force ID: 152021.
CVE-2018-1887
PUBLISHED: 2018-12-13
IBM Security Access Manager Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, and 9.0.5.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force...