In our continuing People of Zeek interview series, today we have Doug Burks, Founder of Security Onion and CEO of Security Onion Solutions. Doug, thank you so much for taking time out of your schedule to answer a few questions and let the community get to know more about you and your organization.
Doug Burks (DB): Thanks for the opportunity to share a few thoughts with your community!
Amber Graner (AG): Doug, Can you tell people a little bit more about you and how you became involved with Zeek and the community?
DB: I started the Security Onion project in 2008 with the original goal of providing a free and open source platform for intrusion detection and network security monitoring to help you peel back the layers of your network. In 2009, I added Bro (as it was known back then) to the platform and then started attending Bro conferences and meeting great folks like Seth Hall and Robin Sommer. After seeing the great network visibility that Bro (now Zeek) provides and the infectious enthusiasm of folks like Seth and Robin, I knew this would be a great project and community to be a part of!
AG: How does Zeek play a role in your day-to-day activities?
DB: Every day, I wake up and one of the first things I do is review the Zeek logs on all of my sensors. We want our Security Onion platform to be “by threat hunters, for threat hunters” so it’s important that I spend some time every day doing some threat hunting. Zeek plays a vital role in threat hunting due to the amazing network visibility it provides.
AG: We’ll talk more about Security Onion in just a few questions, but what excites you about Zeek and the community?
DB: The Zeek community is exciting because of its breadth and depth. There are community members from private organizations, military, and academia. Folks are using it for a wide variety of use cases from classroom learning to full production incident response and everywhere in between. Some community members have many years of experience in fighting the good fight and leverage those years of experience to mentor those who are newer. Newer members may be new to the industry, but that’s actually a good sign in and of itself because it means that the community is growing, thriving, and adding new members with fresh ideas.
AG: How and where would you like to see more people and organizations get involved with Zeek and the community?
I like the recent addition of a Slack channel for the Zeek community and would encourage folks to sign up and join the discussion!
AG: For others who would like to get involved in Zeek, Security Onion or other open source projects what would your advice be to them?
DB: Getting involved in open source projects can be intimidating at first, but don’t be scared! We are all working together towards the common goal of fighting our adversaries and we want you to join us in the fight!
AG: Can you tell readers a little more about Security Onion? How is Zeek used in your product?
DB: Security Onion is a free and open source Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Zeek, Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. Zeek is a core component of our network visibility. If you download our ISO image (currently over 950,000 downloads), you can install and configure it in just a few minutes and then log into Kibana to slice and dice your Zeek logs.
AG: Why is open source so important to you personally and your organization? What can others learn from integrating open and transparent principles and philosophies to their workflow?
DB: I first learned about open source in 1997 and it blew my mind! As a sysadmin, I was able to save my organization tons of money by using open source. And in many cases, we wouldn’t have had the budget for commercial alternatives at all, so we were able to do things that we simply would not have been able to do otherwise. Because I was able to benefit from open source both personally and professionally, I was incredibly grateful and knew that I wanted to give back to the open source community either by getting involved in existing projects or starting my own. Ultimately, I started Security Onion and it has been a privilege and an honor to provide a free and open source platform to help defenders defend themselves.
AG: What would you say is the most valuable/important lesson you have learned from being involved in and adopting open and transparent practices?
Throughout the course of my career, I’ve seen time and time again that open and transparent communities enable acceleration that alternatives simply cannot. Here’s a great example. Recently, we packaged Zeek 3.0.1 and our community users started upgrading. Soon, one of our community members noticed that Zeek was using more CPU than it had previously, so he emailed our mailing list with some good metrics. Using those metrics, we were able to duplicate the issue and come up with a consistent method to trigger the issue. We then sent those details to the Zeek mailing list and Jon Siwek replied within just a few hours and was able to duplicate the issue. He then fixed the issue and released Zeek 3.0.3. We then packaged Zeek 3.0.3 and the original community member verified this resolved the issue. This whole turnaround happened very quickly all because one of our community members spoke up and we were able to have an open and transparent dialog with the right folks in our community and in the Zeek community. Try that with traditional closed source software!
AG: How can people get involved with Security Onion?
DB: The best way to get involved with Security Onion is to join our mailing list and subreddit. Answer questions from your fellow community members. Use those questions to get a sense for the common pain points in the community. Those pain points may be solved by simple documentation changes or perhaps more complex code changes. We will gladly review any and all pull requests for our docs or code repos!
AG: If you have one take away message you’d like readers to know about Security Onion what would it be?
DB: If you’ve tried Security Onion in the past, you might want to try again as we keep getting better and better over the years! In addition to comprehensive network visibility, we also integrate with lots of endpoint technologies. Also, we’re currently working on our next generation platform code named Hybrid Hunter which is container based so we’ll no longer be tied to just one Linux distribution.
AG: Is there anything I haven’t asked you about that you would like readers to know?
My personal goal is that, through the Zeek and Security Onion communities, we empower defenders to more quickly detect and interrupt adversaries and ultimately bring them to justice. Let’s work together and make our adversaries cry!
About Security Onion:
Security Onion is a free and open source Linux distribution for threat hunting, enterprise security monitoring, and log management. It includes Elasticsearch, Logstash, Kibana, Snort, Suricata, Zeek (formerly known as Bro), Wazuh, Sguil, Squert, CyberChef, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!