Speaker: Tim Wojtulewicz, Corelight

View this webinar on YouTube.

Abstract:

In Zeek 7.0 we introduced a new framework for exporting telemetry data. This moves from everything being implemented by our in-house Broker software to a Prometheus-first model in Zeek itself. This webinar will cover what’s new about the framework, how to configure it automatically for working with Prometheus, how to use the data that Zeek provides, and how to add your own.

Bio:

Speaker: Arne Welzel, Corelight

View this webinar on YouTube.

Abstract:

Zeek is extensible through external plugins. Plugins can register components with Zeek’s core, providing new functionality. Prime examples are protocol analyzers, packet sources, or log writers.

Starting with Zeek 7.1, plugins can now extend Zeek with “cluster backend components”. Such components provide publish-subscribe and remote logging functionality to Zeek, allowing nodes to communicate in a cluster. As part of this change, Zeek’s existing Broker integration was converted to provide a cluster backend component. Additionally, an experimental ZeroMQ-based alternative has been added to Zeek’s main development tree.

This new functionality allows users to experiment with Zeek clusters in which individual nodes communicate using off-the-shelf technologies like ZeroMQ or NATS.io, rather than Zeek’s native communication library, Broker.

This talk will provide details about the API, explore the ZeroMQ and NATS.io (prototype) implementations and discuss the differences and opportunities that this development brings.

Bio:

Arne Welzel works for Corelight as a Zeek maintainer. He’s relatively new to the Zeek ecosystem and from time to time pushes controversial experiments, like adding JavaScript support to Zeek. He’s otherwise interested in performance profiling and optimizations.

Speaker: Steve Smoot, Corelight

View this webinar on YouTube.

Abstract:

The real world often breaks simple assumptions of how research is done – when one organization knows what to look for, but wont disclose their secret sauce, it can be tricky to help them generate good logs! Suppose you don’t know which part of a protocol has the key information. Suppose the protocol is based on three or four RFCs, but also has random vendor changes and multiple versions and seem to tell some fibs. Suppose the PCAPs are scarce on the internet and partner organization isn’t allowed to share theirs. How can you hash it out? I’ll go through my journey in developing a log in the “real world.”

Bio:

Steve Smoot has been in and out of open source since coding for his Computer Science PhD at UC Berkeley in the 1990s and has been working in networking since 2000. Presently he is Corelight’s Chief Customer Officer, where he focuses on building technical teams to enable customers to achieve their goals with Zeek (& Suricata). Formerly, he played a catalytic role at Riverbed, scaling from 10 to 2600 people, and before that brought the FastForward Networks technology and how-to to Europe for Inktomi. Previously, he developed video compression technology that enables the video streams we all watch every night. Dr. Smoot is a graduate of MIT and holds a PhD in Computer Science from the University of California at Berkeley.

Speaker: Melanie Pierce, Idaho National Laboratory

View this webinar on YouTube.

Abstract:

Spicy and BinPAC are robust languages that greatly aid developers in crafting protocol analyzers for Zeek. Spicy, in particular, has streamlined the process significantly over its predecessor, BinPAC, making it less daunting to develop network protocol analyzers. Yet, mastering Spicy’s relatively simpler syntax and tools still demands a considerable investment of time and effort. For seasoned developers who regularly build protocol analyzers, this is hardly a deterrent, as they can fully utilize the sophisticated capabilities of these languages. However, this complexity can deter others from attempting to build analyzers.

To address this challenge, the Cybersecurity & Infrastructure Security Agency (CISA) partnered with Idaho National Laboratory to develop and introduce Parsnip. This project aims to lower the entry barrier to creating analyzers by utilizing more accessible tools like a Graphical User Interface (GUI) and JSON. Parsnip provides a practical solution that covers 80-90% of the needs for an analyzer, which can either suffice in many scenarios or be refined further by a Spicy expert

Bio:

Melanie is a Cybersecurity Analyst at Idaho National Laboratory (INL). She joined INL in 2022. Melanie has a bachelor’s degree in Cybersecurity from Brigham Young University and is currently pursuing her master’s degree in computer science from Johns Hopkins University.

After joining INL, Melanie became involved in the efforts to secure critical infrastructure networks through the ICSNPP project and the Malcolm project. With the ICSNPP (Industrial Control Systems Network Protocol Parsers) project, Melanie develops Zeek parsers in Spicy and BINPAC to provide further visibility into critical infrastructure networks. These protocol parsers are incorporated into the Malcolm tool suite.Melanie is passionate about simplifying security. Cybersecurity doesn’t need to be expensive or complicated. Melanie loves finding creative solutions to make the implementation of a basic security poster reachable, even among the smaller industries. Melanie is a strong believer in open-source software that benefits the entire community and wants to contribute to lasting impacts in critical infrastructure security.

Speaker: Brian Olson, Meta

View this webinar on YouTube.

Abstract:

In our increasingly digital world, detecting malicious activities via DNS analysis has become crucial for cybersecurity. This presentation briefly discusses DNS basics, domain registration norms, and dives into several advanced detection techniques to enhance security measures and identify data exfiltration, C2 communications, and other malicious activities.

Bio:

Speaker: Aaron J. Scantlin, National Energy Research Scientific Computing Center (NERSC)

View this webinar on YouTube.

Abstract:

The National Energy Research Scientific Computing (NERSC) Center, an enclave of Lawrence Berkeley National Lab, is an “open science” research facility dedicated to making HPC resources accessible for researchers and their data accessible to the world. In environments such as these, every CPU cycle spent on security is seen as a CPU cycle not spent on science – and to that end, the NERSC Security team relies heavily on Zeek to passively monitor up to 1Tbps of traffic traversing the border. Additionally, the NERSC Security team leverages Zeek (in conjunction with fluentd) as a “SIEM on a stick” to ingest SSH logs – join NERSC Security team member Aaron Scantlin for an overview of their use case, cluster architecture and maintenance processes.

Bio:

Aaron J. Scantlin is a cybersecurity engineer for the National Energy Research Scientific Computing (NERSC) Center at Lawrence Berkeley National Lab, as well as a former adjunct instructor in the College of Engineering at University of Missouri – Columbia. Aaron has been a Zeek Geek for so long he’s a Bro Bro! His first talk involving Zeek was a talk entitled “Home Network Security Monitoring on the Cheap” at SecKC in 2016 and he has found himself using Zeek in some capacity ever since. Energetic and passionate (sometimes to a fault), this talk will be sure to both inform and entertain.

Speaker: Dop, ESNet

View this webinar on YouTube.

Abstract:

At ESnet, we pride ourselves on being cutting edge, even when we cut ourselves. Every new significant branch of zeek is automatically built and tested in Gitlab CI. Then, every night, the latest, successful ‘master’ build is deployed to a test system via ansible. As time permits, we roll out the latest build, in production, to over 40 servers. Through this process we’ve both been able to provide early feedback to the zeek project about potential bugs and give ourselves an early warning system when changes impact our production plugins and scripts.

The second half of this talk will cover how we look to support the future of multi-node cluster environments. With the announcement of zeekctl’s eventual retirement we moved to systemd for process control. These days we’re looking at the new Zeek Management Framework. It’s a little confusing at first, but we’ll discuss what it takes to build a single system or a cluster, including what works and what doesn’t.

Bio:

Michael “Dop” Dopheide has spent the majority of his career working in the R&E community specializing in systems engineering, security research, incident response, and network intrusion detection. He especially enjoys helping coworkers debug problems at the packet and protocol levels. In addition to his operational security role, Dop helps support the open source Zeek community and volunteers to beta test the SANS Holiday Hack challenge.

Speaker: Jiajian Zheng, Jia Wang, NTT Communications

View this webinar on YouTube.

Abstract:

OT (Operational Technology) / ICS (Industrial Control Systems) are specialized computing systems used to manage, monitor, and control physical devices, processes, and infrastructure in industries such as manufacturing, energy, transportation, and public works.

Ensuring the normal and safe operation of OT/ICS is of paramount importance since the interruption of an OT/ICS due to cyberattacks may lead to halting production line, resulting in delays in product delivery and substantial financial losses. However, considering system availability, implementing EDR or updating operating systems and software packages in OT/ICS cannot be conducted in the same way as in IT systems. Thus, we aim to visualize and manage OT/ICS by leveraging Zeek, employing a method that does not impact the OT system but instead mirrors the communication data between OT devices.

There are two major challenges. First, the communication between OT/ICS devices relies on proprietary protocols that vary by manufacturer. Nevertheless, Zeek lacks support for these diverse OT/ICS protocols or fails to provide sufficient log information. On the other hand, although a parser has been implemented, another considerable obstacle lies in the absence of the PCAP files to verify the accuracy of the parser.

This presentation introduces the implementation process of CC-Link, the dominant protocol utilized in Japan PLC, and illustrates visualized images of the OT/ICS through generated log data. Lastly, it clarifies the types of security problems that can be resolved by this strategy.

Bio:

Jiajian Zheng:

Jiajian Zheng is currently working as a development engineer at NTT Communications. He received his B.E. and M.E. in Computer and Network Engineering from The University of Electro-Communications in 2019 and 2021. In 2021, He joined NTT Communications, where he worked on the development of the OT/ICS security.

Helen:

Jia Wang received her M.I. degree in Informatics from Yokohama National University, Japan. She was honored with the Best Presentation Award at the 6th International Conference on Cryptography, Security, and Privacy in 2022. She is currently working as a development engineer at NTT Communications. Her professional interests encompass network monitoring, IT/OT security, and blockchain security.

Speaker: Justin Azoff, Corelight

View this webinar on YouTube.

Abstract:

In order for Zeek to work properly the traffic fed into it needs to be healthy. There are a number of pitfalls like incorrectly wired optical taps or improperly configured load balancing that can cause analysis issues. In most situations Zeek will run and produce log files, but log entries may be missing, incomplete, or contain duplicate information. We can use the Zeek logs to determine if everything is working properly. However, discovering that there is problem is often the easy part. A separate group may be in charge of the physical networking layer and they are not expected to be Zeek experts. If something is wrong, how can the problem be quantified and explained in a language that non Zeek experts can understand?

Bio:

Justin Azoff has been working in the network security field for 20 years. He has been deploying and using Zeek since 2008, and has been supporting Zeek sensors at Corelight on diverse customer networks for five years.