In our continuing People of Zeek interview series, today we have Keith Lehigh, Chair of the Open Source Zeek Leadership Team (LT). Keith thank you so much for taking time out of your schedule to answer a few questions and let the community get to know more about you.

Amber Graner (AG): Keith could you tell people a little about you and your day job?

Keith Lehigh (KL): I’m the University Information Security Officer at Indiana University (IU).  I lead a team of seven security engineers focused on running central security services, such as the New Issue Information Dissemination Service (NIDS), conducting threat hunting activities, providing tier two incident response support and offering technical security guidance and consultations for units around IU.  I moved into a leadership position at IU about two years ago, and before that I was a security engineer in our office. While leading people is my primary job, I’m still fairly involved in helping run Zeek at IU. If I’m not doing security things, I’m probably cooking or grilling.

AG:  How long have you been involved with the Zeek community and when did you become Chair of the LT?

KL: I first heard about Zeek/Bro from friends at National Center for Supercomputing Applications (NCSA) in 2006, who were already using it as a core network monitoring tool.  That year I attended the first Bro workshop (as it was called then), which was co-located at SuperComputing 2006 in Tampa. Over the next couple years I played around a bit, but my involvement deepened in 2010 after I joined the University Information Security Office (UISO)  and deployed Zeek/Bro across the IU network. At that time the community was much smaller and we played a useful role as a testbed, since IU has a fairly large and diverse network. As I’ve moved into a leadership role on my team, I thought I could help on the community side and became the Chair of the LT in 2018.

AG:  What excites you about Zeek and keeps you interested in serving the community?  How is Zeek used in your day job?

KL: One of the most exciting things about Zeek is how it has always been on the cutting edge, whether that was building in cluster support over 10 years ago, or the recently announced zeek-agent, which helps extend Zeek’s visibility into endpoints on the network.  As well, Zeek’s policy neutral approach to logging makes it a critical forensic tool to support other detection processes. In our office, sometimes we start with Zeek logs to find compromises, but regardless of where the first indicator originated, we always end up pivoting to Zeek logs to tell the whole story.  We also rely on Zeek logs for proactive security, answering questions such as “do we have this software on our network and where is it?”

AG:  Where and how would you like to see the community get involved in the project?

KL: Sharing scripts, especially as packages can have a big impact.  If you’ve got an idea, but aren’t sure how to proceed, the Slack channel or the mailing are great places to ask for help.  Finally, pitching in to help improve the documentation is another great way to contribute. Small or large changes or even identifying gaps can be useful.

AG: What are some new items of interest the community should be on the lookout for in 2020. 

KL: On the technical side, the nascent supervisor feature will expand the capability and reliability of cluster deployments.  On the user support side, the newly overhauled web presence and a forthcoming overhaul of our documentation should really help the community.

AG: Is there anything else you’d like people to know about Zeek, the community or you that I haven’t asked you about?

KL: I appreciate the people in the community who helped me along the way and I hope I’ve been able to repay them by helping others get going.  Also, be safe, and take care of each other!

Keith, again thank you so much for this interview and for all you do for the Zeek community.

For those who want to get involved or want to know more about Zeek, see the helpful links below: 

Getting Involved: If you would like to be part of the Zeek Community and contribute to the success of the project please sign up for our mailing lists, join our Slack Workspace,  come to our events, follow the blog and/or Twitter feed. If you’re writing scripts or plugins for Zeek we would love to hear from you! Can’t figure out what your next step should be, just reach out. Together we can find a place for you to actively contribute and be a part of this growing community.

About Zeek (formerly Bro): Zeek is the world’s leading platform for network security monitoring.  Flexible, open source, and powered by defenders.