Operations

6/14/2018
10:00 AM
Greg Bell
Greg Bell
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Meet 'Bro': The Best-Kept Secret of Network Security

This often overlooked open source tool uses deep packet inspection to transform network traffic into exceptionally useful, real-time data for security operations.

The 1990s was a terrific era for open source software. As the World Wide Web exploded in size, the scaffolding of the early Internet was taking shape … and it's hard to imagine that happening without the brilliant developers who gave us Linux, FreeBSD, Apache, Perl, MySQL — and countless other projects. The same decade also brought us grunge music, Game Boys, and Doc Martens! but those early open source tools had a larger impact: they changed the world in ways we're still grappling with.

Not surprisingly, several classic open source security projects date from exactly the same era: Snort, Wireshark, Nessus, Bro.

Here's a bet: if there's a name on that list you've only vaguely heard of, I bet it's "Bro."

I first encountered Bro in 2001, when I joined Lawrence Berkeley National Laboratory (LBNL) as a network engineer. One of my first jobs was to integrate Bro with our new border router. In that process, I learned that the tool had been created at LBNL five years earlier by Vern Paxson, then a graduate student, now an eminent computer scientist and security researcher at UC Berkeley. Vern's classic paper on Bro is here.

Vern named the project in homage to George Orwell's dystopian novel 1984, as a reminder that network monitoring can be a double-edged sword: increasing security, but also facilitating surveillance in the wrong hands. Since that time, "Bro" has developed other connotations, and last year the project's leadership kicked off a process for changing the name that hasn't yet concluded.

In a nutshell, Bro transforms network traffic — in all its volume, variety, and downright weirdness — into exceptionally useful real-time data for security operations. Through deep packet inspection, Bro can extract hundreds of security-relevant fields from dozens of protocols and present them in a way that makes sense to security operations center engineers.

By default, Bro doesn't have an opinion about the traffic it processes. This basic architectural principle sometimes confuses people. Bro doesn't decide whether your traffic is good or bad; it just doggedly parses dozens of protocols and records what it sees, generating rich, actionable data that makes the work of incident response and threat hunting up to 20 times faster. In fairness, that's a simplification, because Bro is also an application framework well-suited to the development of sophisticated behavioral detections ... but many fans of the open source project appreciate the value-neutral data above all else.

Bro initially thrived in the national laboratory system and in research universities because network visibility was so important to these institutions. They had the world's fastest networks, thousands of endpoints that were effectively unmanageable, and users who participated in an ever-shifting pattern of global research. Standard-issue firewalls weren't feasible or affordable in such environments. Instead, their security teams developed compensating techniques for monitoring networks, with Bro at the heart of it all.

In time, global enterprises began to adopt Bro as well. The addition of excellent SMB protocol parsing accelerated that trend, as did better documentation and a formal Bro Center funded by the US National Science Foundation. Right now, thousands of organizations worldwide rely on Bro, including some of the world's largest companies and mission-critical government agencies. As BSD-licensed technology, Bro is also incorporated into numerous commercial products.

Security professionals love Bro because it creates exceptional data that helps them get their jobs done faster. But beyond that, Bro data improves all of the tools it feeds (SIEM systems, analytics pipelines, automation platforms, etc.). As security threats become existential for so many organizations, better data is key to addressing risk, because it drives improvements throughout the security life cycle.

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information.

Before joining Corelight as CEO, Greg served in a series of leadership roles at Lawrence Berkeley National Laboratory: director of the scientific networking division, director of the US Department of Energy's high performance mission network ESnet, and chief technology ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Todd Hartgrove
50%
50%
Todd Hartgrove,
User Rank: Apprentice
6/21/2018 | 5:27:52 AM
Pending Review
This comment is waiting for review by our moderators.
RobiP
100%
0%
RobiP,
User Rank: Strategist
6/14/2018 | 3:37:33 PM
Surprisingly Unkown
I am marveled at both how many well read security professionals are not aware of Bro's benefits as well as the untapped potential of both the data and scripts that Bro offers.  Unique, bespoke data is extremely valuable and reat-time analytics is just beginning to take hold.

Go, Bro, Go!
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
The State of IT and Cybersecurity
The State of IT and Cybersecurity
IT and security are often viewed as different disciplines - and different departments. Find out what our survey data revealed, read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-0291
PUBLISHED: 2018-06-20
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of SNMP protocol ...
CVE-2018-0292
PUBLISHED: 2018-06-20
A vulnerability in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in ...
CVE-2018-0293
PUBLISHED: 2018-06-20
A vulnerability in role-based access control (RBAC) for Cisco NX-OS Software could allow an authenticated, remote attacker to execute CLI commands that should be restricted for a nonadministrative user. The attacker would have to possess valid user credentials for the device. The vulnerability is du...
CVE-2018-0294
PUBLISHED: 2018-06-20
A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device. The vulnerability exists because the affected software does not properly delete sensitive...
CVE-2018-0295
PUBLISHED: 2018-06-20
A vulnerability in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the device unexpectedly reloading. The vulnerability is due to incomplete input validation of the BGP update...