informa
/
Operations
Commentary

Meet 'Bro': The Best-Kept Secret of Network Security

This often overlooked open source tool uses deep packet inspection to transform network traffic into exceptionally useful, real-time data for security operations.

The 1990s was a terrific era for open source software. As the World Wide Web exploded in size, the scaffolding of the early Internet was taking shape … and it's hard to imagine that happening without the brilliant developers who gave us Linux, FreeBSD, Apache, Perl, MySQL — and countless other projects. The same decade also brought us grunge music, Game Boys, and Doc Martens! but those early open source tools had a larger impact: they changed the world in ways we're still grappling with.

Not surprisingly, several classic open source security projects date from exactly the same era: Snort, Wireshark, Nessus, Bro.

Here's a bet: if there's a name on that list you've only vaguely heard of, I bet it's "Bro."

I first encountered Bro in 2001, when I joined Lawrence Berkeley National Laboratory (LBNL) as a network engineer. One of my first jobs was to integrate Bro with our new border router. In that process, I learned that the tool had been created at LBNL five years earlier by Vern Paxson, then a graduate student, now an eminent computer scientist and security researcher at UC Berkeley. Vern's classic paper on Bro is here.

Vern named the project in homage to George Orwell's dystopian novel 1984, as a reminder that network monitoring can be a double-edged sword: increasing security, but also facilitating surveillance in the wrong hands. Since that time, "Bro" has developed other connotations, and last year the project's leadership kicked off a process for changing the name that hasn't yet concluded.

In a nutshell, Bro transforms network traffic — in all its volume, variety, and downright weirdness — into exceptionally useful real-time data for security operations. Through deep packet inspection, Bro can extract hundreds of security-relevant fields from dozens of protocols and present them in a way that makes sense to security operations center engineers.

By default, Bro doesn't have an opinion about the traffic it processes. This basic architectural principle sometimes confuses people. Bro doesn't decide whether your traffic is good or bad; it just doggedly parses dozens of protocols and records what it sees, generating rich, actionable data that makes the work of incident response and threat hunting up to 20 times faster. In fairness, that's a simplification, because Bro is also an application framework well-suited to the development of sophisticated behavioral detections ... but many fans of the open source project appreciate the value-neutral data above all else.

Bro initially thrived in the national laboratory system and in research universities because network visibility was so important to these institutions. They had the world's fastest networks, thousands of endpoints that were effectively unmanageable, and users who participated in an ever-shifting pattern of global research. Standard-issue firewalls weren't feasible or affordable in such environments. Instead, their security teams developed compensating techniques for monitoring networks, with Bro at the heart of it all.

In time, global enterprises began to adopt Bro as well. The addition of excellent SMB protocol parsing accelerated that trend, as did better documentation and a formal Bro Center funded by the US National Science Foundation. Right now, thousands of organizations worldwide rely on Bro, including some of the world's largest companies and mission-critical government agencies. As BSD-licensed technology, Bro is also incorporated into numerous commercial products.

Security professionals love Bro because it creates exceptional data that helps them get their jobs done faster. But beyond that, Bro data improves all of the tools it feeds (SIEM systems, analytics pipelines, automation platforms, etc.). As security threats become existential for so many organizations, better data is key to addressing risk, because it drives improvements throughout the security life cycle.

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information.

Recommended Reading:
Editors' Choice
Amichai Shulman, CTO and Co-founder of AirEye
Biagio DeSimone, Enterprise Solution Architect, Aqua Security