Operations

6/14/2018
10:00 AM
Greg Bell
Greg Bell
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Meet 'Bro': The Best-Kept Secret of Network Security

This often overlooked open source tool uses deep packet inspection to transform network traffic into exceptionally useful, real-time data for security operations.

The 1990s was a terrific era for open source software. As the World Wide Web exploded in size, the scaffolding of the early Internet was taking shape … and it's hard to imagine that happening without the brilliant developers who gave us Linux, FreeBSD, Apache, Perl, MySQL — and countless other projects. The same decade also brought us grunge music, Game Boys, and Doc Martens! but those early open source tools had a larger impact: they changed the world in ways we're still grappling with.

Not surprisingly, several classic open source security projects date from exactly the same era: Snort, Wireshark, Nessus, Bro.

Here's a bet: if there's a name on that list you've only vaguely heard of, I bet it's "Bro."

I first encountered Bro in 2001, when I joined Lawrence Berkeley National Laboratory (LBNL) as a network engineer. One of my first jobs was to integrate Bro with our new border router. In that process, I learned that the tool had been created at LBNL five years earlier by Vern Paxson, then a graduate student, now an eminent computer scientist and security researcher at UC Berkeley. Vern's classic paper on Bro is here.

Vern named the project in homage to George Orwell's dystopian novel 1984, as a reminder that network monitoring can be a double-edged sword: increasing security, but also facilitating surveillance in the wrong hands. Since that time, "Bro" has developed other connotations, and last year the project's leadership kicked off a process for changing the name that hasn't yet concluded.

In a nutshell, Bro transforms network traffic — in all its volume, variety, and downright weirdness — into exceptionally useful real-time data for security operations. Through deep packet inspection, Bro can extract hundreds of security-relevant fields from dozens of protocols and present them in a way that makes sense to security operations center engineers.

By default, Bro doesn't have an opinion about the traffic it processes. This basic architectural principle sometimes confuses people. Bro doesn't decide whether your traffic is good or bad; it just doggedly parses dozens of protocols and records what it sees, generating rich, actionable data that makes the work of incident response and threat hunting up to 20 times faster. In fairness, that's a simplification, because Bro is also an application framework well-suited to the development of sophisticated behavioral detections ... but many fans of the open source project appreciate the value-neutral data above all else.

Bro initially thrived in the national laboratory system and in research universities because network visibility was so important to these institutions. They had the world's fastest networks, thousands of endpoints that were effectively unmanageable, and users who participated in an ever-shifting pattern of global research. Standard-issue firewalls weren't feasible or affordable in such environments. Instead, their security teams developed compensating techniques for monitoring networks, with Bro at the heart of it all.

In time, global enterprises began to adopt Bro as well. The addition of excellent SMB protocol parsing accelerated that trend, as did better documentation and a formal Bro Center funded by the US National Science Foundation. Right now, thousands of organizations worldwide rely on Bro, including some of the world's largest companies and mission-critical government agencies. As BSD-licensed technology, Bro is also incorporated into numerous commercial products.

Security professionals love Bro because it creates exceptional data that helps them get their jobs done faster. But beyond that, Bro data improves all of the tools it feeds (SIEM systems, analytics pipelines, automation platforms, etc.). As security threats become existential for so many organizations, better data is key to addressing risk, because it drives improvements throughout the security life cycle.

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information.

Before joining Corelight as CEO, Greg served in a series of leadership roles at Lawrence Berkeley National Laboratory: director of the scientific networking division, director of the US Department of Energy's high performance mission network ESnet, and chief technology ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Todd Hartgrove
50%
50%
Todd Hartgrove,
User Rank: Apprentice
6/21/2018 | 5:27:52 AM
Re: Surprisingly Unkown
I absolutely agree. Real-time analysis will be required in the future
RobiP
100%
0%
RobiP,
User Rank: Strategist
6/14/2018 | 3:37:33 PM
Surprisingly Unkown
I am marveled at both how many well read security professionals are not aware of Bro's benefits as well as the untapped potential of both the data and scripts that Bro offers.  Unique, bespoke data is extremely valuable and reat-time analytics is just beginning to take hold.

Go, Bro, Go!
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.