Matthias, thank you so much for taking time out of your schedule to answer a few questions and let the community get to know more about you and your organization.
Amber Graner (AG): Matthias, like so many early Zeek adopters and active community members, you have some personal history with Vern Paxson, the creator of Zeek and the International Computer Science Institute (ICSI) at Berkeley. Can you tell people a little bit more about you and how you became involved in the Zeek Community?
MV: Amber, thanks for this opportunity here to speak to you and the community. My first exposure to Zeek was back in 2006 at the Technical University in Munich, Germany, when I was doing my Bachelor’s thesis that now Corelight’s CTO Robin Sommer co-advised. During my thesis, I also had the fortune to spend a few months at ICSI, where I met Vern, and we published a conference paper about the first version of the Zeek cluster. I was excited to work in this team, tackle the challenging performance problems of monitoring large networks, and ultimately contribute something that’s now used in numerous large enterprises in production. I found my way to Berkeley grad school right after Vern was appointed professor at UC Berkeley, and with him as my advisor, you can imagine, I was deeply wired to the Zeek team.
AG: How does Zeek play a role in your day to day activities?
MV: Even though I moved back to Germany after my PhD and post-doc at Berkeley, I am still actively following the evolution of Zeek, especially on the now available community Slack and at github. I successfully inculcated the Zeek mindset at Tenzir and now our team is also hooked. For example, when a new CVE comes out, the first thing we ask ourselves is “how can we detect this in Zeek?”
AG: We’ll talk more about Tenzir in just a few questions, but what excites you about Zeek and the community?
MV: The unique thing about this community is that there’s no ego. Everybody just loves figuring out new ways to use Zeek and let their own passion be the driver for innovative ideas. The community has also numerous long-term experts with a lot of experience – a treasure trove of knowledge!
AG: How and where would you like to see more people and organizations get involved in the Zeek community?
MV: Zeek doesn’t have a lot of traction over here in Europe yet, but this is slowly changing. It’s refreshing to see. I hope that Zeek eventually becomes just another first-class citizen like PCAP or NetFlow data. Regrading users, I am witnessing that Zeek now finds its way into universities more. For example, we have an ongoing collaboration with the security group at University of Hamburg, lead by Prof. Mathias Fischer, who exposes students early on to hands-on Zeek in seminars. It makes me really happy to see that Zeek trickles down to the next generation of security experts!
AG: For others who would like to get involved in Zeek or other open source projects what would your advice be to them?
MV: Just try it out and look at the logs. The value of the data is immediately apparent. Many NSM tools already ship with Zeek or have native integrations, so it’s much easier to get started nowadays than a decade ago.
AG: Can you tell readers a little more about Tenzir? How is Zeek used in your product?
MV: Tenzir builds SOC backbone technology, where SecOps meets data science. Our open-source telemetry engine VAST has native Zeek support. It also handles PCAP, NetFlow, argus, Suricata, and other formats. You can query VAST and it gives you back the relevant subset you need, in a format of your choice. We also have a zero-copy channel to build a high-throughput path to various analytics frameworks, such as R, Spark, Python/Pandas, etc. Then you don’t have to worry about slow JSON import and exports but can jump-start the analysis. At Suricon last year, we showed how to pivot between Suricata and Zeek logs and fetch the corresponding PCAPs.
We also offer an integrated NSM solution with VAST, threat intel matching, and of course, Zeek for detection.
AG: Why is open source so important to you personally and your organization? What can others learn from integrating open and transparent principles and philosophies to their workflow?
MV: We have a strong open-source culture at Tenzir. Recently, we released Threat Bus, a new open-source tool that is just meant to integrate other open-source security tools. VAST is technically open-core software, with the majority of features available in the open source version. We also publish most of our building blocks, such as the zeek-mac-ages package, so that the security community in addition to our customers can benefit as a whole from our daily churning.
AG: What would you say is the most valuable/important lesson you have learned from being involved in and adopting open and transparent practices?
MV: A dramatic improvement in quality. If you live up to high standards and want to keep your integrity, then you cannot brush the dirt under the carpet. It’s okay to write dirty hacks, but it requires explicit communication that justifies the shortcuts. Proper expectation management is necessary for credibility and accountability. Coupled with transparency, we believe that this is the key driver for success in a fast-moving open-source world.
AG: If you have one take away message you’d like readers to know about Tenzir what would it be?
MV: If you run Zeek and need a better way to illuminate its output, come talk to us.
AG: Is there anything I haven’t asked you about that you would like readers to know?
MV: We’d be happy if you follow us on Twitter at @tenzir_company, where we share new blog posts and interact with the community. We’re also on LinkedIn under tenzir.company. Oh, and if you have any questions about probabilistic data structures, our team gets easily distracted ;-).
Tenzir develops technology for automated investigation of security threats before they have a business impact. We correlate massive amounts of network data—in realtime and retrospectively. This enables early detection and rapid containment of attacks with minimal human interaction. Our appliance supports on-premise setup and soon a cloud-native deployment—all with flat-fee monthly pricing for a predictable TCO.