A powerful, easily deployable network traffic analysis tool suite for network security monitoring

Thank you for sharing your experience with Zeek! This brief survey will take no more than 10 minutes to complete and will help us improve the tools, support, and community that make Zeek great. In thi...

A powerful, easily deployable network traffic analysis tool suite for network security monitoring

A powerful, easily deployable network traffic analysis tool suite for network security monitoring

A powerful, easily deployable network traffic analysis tool suite for network security monitoring

<div class="et-l et-l--post"> <div class="et_builder_inner_content et_pb_gutters3"> <div class="et_pb_section et_pb_section_0 et_pb_with_background et_section_regular"> <div class="et_pb_row et_pb_row_0"> <div class="et_pb_column et_pb_column_4_4 et_pb_column_0 et_pb_css_mix_blend_mode_passthrough et-last-child"> <div class="et_pb_module et_pb_text et_pb_text_0 et_pb_text_align_center et_pb_bg_layout_dark"> <div class="et_pb_text_inner"><h1 style="text-align: left;">Zeek Webinars</h1></div> </div> <!-- .et_pb_text --> </div> <!-- .et_pb_column --> </div> <!-- .et_pb_row --> </div> <!-- .et_pb_section --><div class="et_pb_section et_pb_section_1 et_section_regular"> <div class="et_pb_row et_pb_row_1"> <div class="et_pb_column et_pb_column_4_4 et_pb_column_1 et_pb_css_mix_blend_mode_passthrough et-last-child"> <div class="et_pb_module et_pb_text et_pb_text_1 et_pb_text_align_left et_pb_bg_layout_light"> <div class="et_pb_text_inner"><h1>Upcoming Webinars</h1> <ul></ul></div> </div> <!-- .et_pb_text --><div class="et_pb_button_module_wrapper et_pb_button_0_wrapper et_pb_button_alignment_right et_pb_module"> <a class="et_pb_button et_pb_custom_button_icon et_pb_button_0 pa-toggle-button et_pb_bg_layout_light" data-icon=";" href="https://zeek.org/events/webinars/">Expand All</a> </div><div class="et_pb_module et_pb_accordion et_pb_accordion_0 pa-toggle-open-close"> <div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_0 et_pb_toggle_open"> <h5 class="et_pb_toggle_title">2024-12-11,10 am Pacific Time: Zeek File Extraction and Automating Malware Analysis</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Seth Grover, Idaho National Lab representing DHS CISA</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_6CfZ3o3DRnuYE9o5G2sqwg">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>Zeek’s file analysis framework allows files transferred in observed network traffic to be extracted to disk, but what next? This presentation will cover how Malcolm (<a href="https://cisagov.github.io/Malcolm" rel="nofollow">https://cisagov.github.io/Malcolm</a>) uses Zeek’s file extraction capability, from configuring which files to extract to performing automated analysis of extracted files using open-source tools like YARA, capa, and ClamAV.</p> <h3><strong>Bio:</strong></h3> <p>Seth Grover is a software developer with twenty years of experience in cybersecurity-related network traffic analysis technologies. Much of Seth’s six years at the Idaho National Lab has been spent focused on the creation and development of Malcolm, an open source network traffic analysis tool suite providing visibility into IT and OT network communications. He accepted a seat on the Zeek LT in 2023. Seth and his wife Andrea are the proud parents of four daughters, a yellow lab named Peach, and a tuxedo cat named Toad.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --> </div> <!-- .et_pb_accordion --><div class="et_pb_module et_pb_text et_pb_text_2 et_pb_text_align_left et_pb_bg_layout_light"> <div class="et_pb_text_inner"><h2><span style="font-weight: 400;">Past Webinars</span></h2> <p>Recordings of past Webinars are available <a href="https://www.youtube.com/playlist?list=PL2EYTX8UVCMgtm4zafgCW8XblRNmrapky">on our Youtube channel, in the “Zeek Webinars – 2024” playlist</a>.</p></div> </div> <!-- .et_pb_text --><div class="et_pb_module et_pb_accordion et_pb_accordion_1 pa-toggle-open-close"> <div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_1 et_pb_toggle_open"> <h5 class="et_pb_toggle_title">2024-11-20,10 am Pacific Time: Parsnip: Lowering the Barrier of Entry for Parser Development</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Melanie Pierce, Idaho National Laboratory</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_B4eYpXi8SEeC_EYzbn1ARQ">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>Spicy and BinPAC are robust languages that greatly aid developers in crafting protocol analyzers for Zeek. Spicy, in particular, has streamlined the process significantly over its predecessor, BinPAC, making it less daunting to develop network protocol analyzers. Yet, mastering Spicy’s relatively simpler syntax and tools still demands a considerable investment of time and effort. For seasoned developers who regularly build protocol analyzers, this is hardly a deterrent, as they can fully utilize the sophisticated capabilities of these languages. However, this complexity can deter others from attempting to build analyzers.</p> <p>To address this challenge, the Cybersecurity &amp; Infrastructure Security Agency (CISA) partnered with Idaho National Laboratory to develop and introduce Parsnip. This project aims to lower the entry barrier to creating analyzers by utilizing more accessible tools like a Graphical User Interface (GUI) and JSON. Parsnip provides a practical solution that covers 80-90% of the needs for an analyzer, which can either suffice in many scenarios or be refined further by a Spicy expert</p> <h3><strong>Bio:</strong></h3> <p>Melanie is a Cybersecurity Analyst at Idaho National Laboratory (INL). She joined INL in 2022. Melanie has a bachelor’s degree in Cybersecurity from Brigham Young University and is currently pursuing her master’s degree in computer science from Johns Hopkins University.</p> <p>After joining INL, Melanie became involved in the efforts to secure critical infrastructure networks through the ICSNPP project and the Malcolm project. With the ICSNPP (Industrial Control Systems Network Protocol Parsers) project, Melanie develops Zeek parsers in Spicy and BINPAC to provide further visibility into critical infrastructure networks. These protocol parsers are incorporated into the Malcolm tool suite.</p> <p>Melanie is passionate about simplifying security. Cybersecurity doesn’t need to be expensive or complicated. Melanie loves finding creative solutions to make the implementation of a basic security poster reachable, even among the smaller industries. Melanie is a strong believer in open-source software that benefits the entire community and wants to contribute to lasting impacts in critical infrastructure security.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_2 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-10-30, 10 am Pacific Time: Automated Zeek Builds and Adventures with the Management Framework</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Dop, ESNet</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_2IoasggoR42KMhoeav-ndQ">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>At ESnet, we pride ourselves on being cutting edge, even when we cut ourselves. Every new significant branch of zeek is automatically built and tested in Gitlab CI. Then, every night, the latest, successful ‘master’ build is deployed to a test system via ansible. As time permits, we roll out the latest build, in production, to over 40 servers. Through this process we’ve both been able to provide early feedback to the zeek project about potential bugs and give ourselves an early warning system when changes impact our production plugins and scripts.</p> <p>The second half of this talk will cover how we look to support the future of multi-node cluster environments. With the announcement of zeekctl’s eventual retirement we moved to systemd for process control. These days we’re looking at the new Zeek Management Framework. It’s a little confusing at first, but we’ll discuss what it takes to build a single system or a cluster, including what works and what doesn’t.</p> <h3><strong>Bio:</strong></h3> <p>Michael “Dop” Dopheide has spent the majority of his career working in the R&amp;E community specializing in systems engineering, security research, incident response, and network intrusion detection. He especially enjoys helping coworkers debug problems at the packet and protocol levels. In addition to his operational security role, Dop helps support the open source Zeek community and volunteers to beta test the SANS Holiday Hack challenge.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_3 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-11-13, 10 am Pacific Time: What’s in a Name – Hiding in Plain Sight</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Brian Olson, Meta</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_Hh0wmjsZR7yEIkVzybmhXQ">Register for this webinar here.</a></p> <h3>Abstract:</h3> <p>In our increasingly digital world, detecting malicious activities via DNS analysis has become crucial for cybersecurity. This presentation briefly discusses DNS basics, domain registration norms, and dives into several advanced detection techniques to enhance security measures and identify data exfiltration, C2 communications, and other malicious activities.</p> <h3>Bio:</h3> <div class="Qr7Oae" role="listitem"> <div class="OxAavc NVbRL" data-item-id="348388951" data-required="true"> <div class="Ih4Dzb"> <div aria-disabled="true" aria-label="Bio" class="q4tvle JqSWld yqQS1" role="textbox" tabindex="0">From his early IT days troubleshooting computers in entry-level positions to leading Verizon Media’s security operations team during the historic Yahoo Breach Remediation, Brian Olson has carved a unique path in cybersecurity. As Meta’s Threat Detection Engineering Manager and a Certified SANS Instructor, Brian’s 17-year journey through the nuances of cybersecurity operations showcases a blend of his offensive and defensive experience, underscored by a Master’s degree in Information Security and a B.S. in Information Technology. His passion for the field extends beyond professional boundaries, as evidenced by his commitment to educating the next generation of cybersecurity experts. When he’s not analyzing the latest threat, Brian enjoys traveling the world. Connect with Brian to delve into the insights of a seasoned cybersecurity leader who’s just as comfortable navigating the complexities of information security as he is exploring a random city anywhere in the world.</div> </div> </div> </div></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_4 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-11-06, 10 am Pacific Time: How Zeek Helps Secure Open Science</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Aaron J. Scantlin, National Energy Research Scientific Computing Center (NERSC)</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_RaVh0OdcRnG2EzhLNFiz7Q">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>The National Energy Research Scientific Computing (NERSC) Center, an enclave of Lawrence Berkeley National Lab, is an “open science” research facility dedicated to making HPC resources accessible for researchers and their data accessible to the world. In environments such as these, every CPU cycle spent on security is seen as a CPU cycle not spent on science – and to that end, the NERSC Security team relies heavily on Zeek to passively monitor up to 1Tbps of traffic traversing the border. Additionally, the NERSC Security team leverages Zeek (in conjunction with fluentd) as a “SIEM on a stick” to ingest SSH logs – join NERSC Security team member Aaron Scantlin for an overview of their use case, cluster architecture and maintenance processes.</p> <p> </p> <h3><strong>Bio:</strong></h3> <p>Aaron J. Scantlin is a cybersecurity engineer for the National Energy Research Scientific Computing (NERSC) Center at Lawrence Berkeley National Lab, as well as a former adjunct instructor in the College of Engineering at University of Missouri – Columbia. Aaron has been a Zeek Geek for so long he’s a Bro Bro! His first talk involving Zeek was a talk entitled “Home Network Security Monitoring on the Cheap” at SecKC in 2016 and he has found himself using Zeek in some capacity ever since. Energetic and passionate (sometimes to a fault), this talk will be sure to both inform and entertain.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_5 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-12-11,10 am Pacific Time: Zeek File Extraction and Automating Malware Analysis</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Seth Grover, Idaho National Lab representing DHS CISA</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_6CfZ3o3DRnuYE9o5G2sqwg">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>Zeek’s file analysis framework allows files transferred in observed network traffic to be extracted to disk, but what next? This presentation will cover how Malcolm (<a href="https://cisagov.github.io/Malcolm" rel="nofollow">https://cisagov.github.io/Malcolm</a>) uses Zeek’s file extraction capability, from configuring which files to extract to performing automated analysis of extracted files using open-source tools like YARA, capa, and ClamAV.</p> <h3><strong>Bio:</strong></h3> <p>Seth Grover is a software developer with twenty years of experience in cybersecurity-related network traffic analysis technologies. Much of Seth’s six years at the Idaho National Lab has been spent focused on the creation and development of Malcolm, an open source network traffic analysis tool suite providing visibility into IT and OT network communications. He accepted a seat on the Zeek LT in 2023. Seth and his wife Andrea are the proud parents of four daughters, a yellow lab named Peach, and a tuxedo cat named Toad.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --> </div> <!-- .et_pb_accordion --><div class="et_pb_module et_pb_accordion et_pb_accordion_2 pa-toggle-open-close"> <div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_6 et_pb_toggle_open"> <h5 class="et_pb_toggle_title">2024-10-16, 10 am Pacific Time: Zeek@Meta: Scale, Log Enrichment and Detections</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Hamza Motiwalla, Network Threat Detection, Meta Platforms Inc</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_5ROOBD2OSOCzVlfgLriAQg">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>The ever-evolving threat landscape has made network security monitoring (NSM) imperative for Meta to safeguard assets and provide crucial network forensics. To address this need, we deploy Zeek and Suricata using commodity hardware across our network infrastructure. This presentation will dive into tap deployments at scale for our enterprise network (logging 15 billion connections daily), establish the need for downstream conn.log enrichment (IP-&gt;Hostname attribution) and give an overview of the active network detections across our network boundaries.</p> <h3><strong>Bio:</strong></h3> <p>Hamza is a Network Threat Detection Engineer at Meta. He spent the last year optimizing and maintaining the Network Security Monitoring (Zeek/Suricata) infrastructure stack at Meta. He studied MS in Computer Science at the University Of Colorado Boulder with a focus in Systems and Networking. He is also certified as a GIAC Network Forensics Analyst. Hamza enjoys trail running and unwinding at San Francisco Bay Area parks.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_7 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-09-25, 5 pm Pacific Time: How to visualize OT/ICS networks for security measures</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Jiajian Zheng, Jia Wang, NTT Communications</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_hCb5irezSFiuvM1Cz2l2MQ">Register for this webinar here.</a></p> <h3>Abstract:</h3> <p>OT (Operational Technology) / ICS (Industrial Control Systems) are specialized computing systems used to manage, monitor, and control physical devices, processes, and infrastructure in industries such as manufacturing, energy, transportation, and public works.</p> <p>Ensuring the normal and safe operation of OT/ICS is of paramount importance since the interruption of an OT/ICS due to cyberattacks may lead to halting production line, resulting in delays in product delivery and substantial financial losses. However, considering system availability, implementing EDR or updating operating systems and software packages in OT/ICS cannot be conducted in the same way as in IT systems. Thus, we aim to visualize and manage OT/ICS by leveraging Zeek, employing a method that does not impact the OT system but instead mirrors the communication data between OT devices.</p> <p>There are two major challenges. First, the communication between OT/ICS devices relies on proprietary protocols that vary by manufacturer. Nevertheless, Zeek lacks support for these diverse OT/ICS protocols or fails to provide sufficient log information. On the other hand, although a parser has been implemented, another considerable obstacle lies in the absence of the PCAP files to verify the accuracy of the parser.</p> <p>This presentation introduces the implementation process of CC-Link, the dominant protocol utilized in Japan PLC, and illustrates visualized images of the OT/ICS through generated log data. Lastly, it clarifies the types of security problems that can be resolved by this strategy.</p> <h3>Bio:</h3> <h4>Jiajian Zheng:</h4> <p>Jiajian Zheng is currently working as a development engineer at NTT Communications. He received his B.E. and M.E. in Computer and Network Engineering from The University of Electro-Communications in 2019 and 2021. In 2021, He joined NTT Communications, where he worked on the development of the OT/ICS security.</p> <h4>Helen:</h4> <p>Jia Wang received her M.I. degree in Informatics from Yokohama National University, Japan. She was honored with the Best Presentation Award at the 6th International Conference on Cryptography, Security, and Privacy in 2022. She is currently working as a development engineer at NTT Communications. Her professional interests encompass network monitoring, IT/OT security, and blockchain security.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_8 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-09-18, 10 am Pacific Time: Don't be SADF: Make sure your input traffic is healthy</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Justin Azoff, Corelight</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_0f8PZieFSVKQnHoi0it_lw">Register for this webinar here.</a></p> <h3><b>Abstract:</b></h3> <p>In order for Zeek to work properly the traffic fed into it needs to be healthy. There are a number of pitfalls like incorrectly wired optical taps or improperly configured load balancing that can cause analysis issues. In most situations Zeek will run and produce log files, but log entries may be missing, incomplete, or contain duplicate information. We can use the Zeek logs to determine if everything is working properly. However, discovering that there is problem is often the easy part. A separate group may be in charge of the physical networking layer and they are not expected to be Zeek experts. If something is wrong, how can the problem be quantified and explained in a language that non Zeek experts can understand?</p> <h3><b>Bio:</b></h3> <p>Justin Azoff has been working in the network security field for 20 years. He has been deploying and using Zeek since 2008, and has been supporting Zeek sensors at Corelight on diverse customer networks for five years.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --> </div> <!-- .et_pb_accordion --><div class="et_pb_module et_pb_accordion et_pb_accordion_3 pa-toggle-open-close"> <div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_9 et_pb_toggle_open"> <h5 class="et_pb_toggle_title">2024-08-21, 10 am Pacific Time: Zeek Roadmap</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Christian Kreibich, Corelight</h4> <h4>Slides: <a href="https://docs.google.com/presentation/d/14EcZSDpf6uRmDo9XMT3B-t18wuZP5yFhwUkhLBw5Qsg/edit?usp=sharing">here</a></h4> <h3><b>Abstract:</b></h3> <p>Christian Kreibich is going to give an overview of Zeek 7 and the upcoming project roadmap.</p> <h3><b>Bio:</b></h3> <p>Christian is the technical lead of the Zeek project, and an engineer at Corelight. Previously he built and led the networking team at Lastline, served on the OISF advisory board, and was a staff researcher at the International Computer Science Institute. He holds a PhD from the University of Cambridge.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --> </div> <!-- .et_pb_accordion --> </div> <!-- .et_pb_column --> </div> <!-- .et_pb_row --> </div> <!-- .et_pb_section --> </div><!-- .et_builder_inner_content --> </div><!-- .et-l -->

<div class="et-l et-l--post"> <div class="et_builder_inner_content et_pb_gutters3"> <div class="et_pb_section et_pb_section_0 et_pb_with_background et_section_regular"> <div class="et_pb_row et_pb_row_0"> <div class="et_pb_column et_pb_column_4_4 et_pb_column_0 et_pb_css_mix_blend_mode_passthrough et-last-child"> <div class="et_pb_module et_pb_text et_pb_text_0 et_pb_text_align_center et_pb_bg_layout_dark"> <div class="et_pb_text_inner"><h1 style="text-align: left;">Zeek Webinars</h1></div> </div> <!-- .et_pb_text --> </div> <!-- .et_pb_column --> </div> <!-- .et_pb_row --> </div> <!-- .et_pb_section --><div class="et_pb_section et_pb_section_1 et_section_regular"> <div class="et_pb_row et_pb_row_1"> <div class="et_pb_column et_pb_column_4_4 et_pb_column_1 et_pb_css_mix_blend_mode_passthrough et-last-child"> <div class="et_pb_module et_pb_text et_pb_text_1 et_pb_text_align_left et_pb_bg_layout_light"> <div class="et_pb_text_inner"><h1>Upcoming Webinars</h1> <ul></ul></div> </div> <!-- .et_pb_text --><div class="et_pb_button_module_wrapper et_pb_button_0_wrapper et_pb_button_alignment_right et_pb_module"> <a class="et_pb_button et_pb_custom_button_icon et_pb_button_0 pa-toggle-button et_pb_bg_layout_light" data-icon=";" href="https://zeek.org/events/webinars/">Expand All</a> </div><div class="et_pb_module et_pb_accordion et_pb_accordion_0 pa-toggle-open-close"> <div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_0 et_pb_toggle_open"> <h5 class="et_pb_toggle_title">2024-12-11,10 am Pacific Time: Zeek File Extraction and Automating Malware Analysis</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Seth Grover, Idaho National Lab representing DHS CISA</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_6CfZ3o3DRnuYE9o5G2sqwg">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>Zeek’s file analysis framework allows files transferred in observed network traffic to be extracted to disk, but what next? This presentation will cover how Malcolm (<a href="https://cisagov.github.io/Malcolm" rel="nofollow">https://cisagov.github.io/Malcolm</a>) uses Zeek’s file extraction capability, from configuring which files to extract to performing automated analysis of extracted files using open-source tools like YARA, capa, and ClamAV.</p> <h3><strong>Bio:</strong></h3> <p>Seth Grover is a software developer with twenty years of experience in cybersecurity-related network traffic analysis technologies. Much of Seth’s six years at the Idaho National Lab has been spent focused on the creation and development of Malcolm, an open source network traffic analysis tool suite providing visibility into IT and OT network communications. He accepted a seat on the Zeek LT in 2023. Seth and his wife Andrea are the proud parents of four daughters, a yellow lab named Peach, and a tuxedo cat named Toad.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --> </div> <!-- .et_pb_accordion --><div class="et_pb_module et_pb_text et_pb_text_2 et_pb_text_align_left et_pb_bg_layout_light"> <div class="et_pb_text_inner"><h2><span style="font-weight: 400;">Past Webinars</span></h2> <p>Recordings of past Webinars are available <a href="https://www.youtube.com/playlist?list=PL2EYTX8UVCMgtm4zafgCW8XblRNmrapky">on our Youtube channel, in the “Zeek Webinars – 2024” playlist</a>.</p></div> </div> <!-- .et_pb_text --><div class="et_pb_module et_pb_accordion et_pb_accordion_1 pa-toggle-open-close"> <div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_1 et_pb_toggle_open"> <h5 class="et_pb_toggle_title">2024-11-20,10 am Pacific Time: Parsnip: Lowering the Barrier of Entry for Parser Development</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Melanie Pierce, Idaho National Laboratory</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_B4eYpXi8SEeC_EYzbn1ARQ">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>Spicy and BinPAC are robust languages that greatly aid developers in crafting protocol analyzers for Zeek. Spicy, in particular, has streamlined the process significantly over its predecessor, BinPAC, making it less daunting to develop network protocol analyzers. Yet, mastering Spicy’s relatively simpler syntax and tools still demands a considerable investment of time and effort. For seasoned developers who regularly build protocol analyzers, this is hardly a deterrent, as they can fully utilize the sophisticated capabilities of these languages. However, this complexity can deter others from attempting to build analyzers.</p> <p>To address this challenge, the Cybersecurity &amp; Infrastructure Security Agency (CISA) partnered with Idaho National Laboratory to develop and introduce Parsnip. This project aims to lower the entry barrier to creating analyzers by utilizing more accessible tools like a Graphical User Interface (GUI) and JSON. Parsnip provides a practical solution that covers 80-90% of the needs for an analyzer, which can either suffice in many scenarios or be refined further by a Spicy expert</p> <h3><strong>Bio:</strong></h3> <p>Melanie is a Cybersecurity Analyst at Idaho National Laboratory (INL). She joined INL in 2022. Melanie has a bachelor’s degree in Cybersecurity from Brigham Young University and is currently pursuing her master’s degree in computer science from Johns Hopkins University.</p> <p>After joining INL, Melanie became involved in the efforts to secure critical infrastructure networks through the ICSNPP project and the Malcolm project. With the ICSNPP (Industrial Control Systems Network Protocol Parsers) project, Melanie develops Zeek parsers in Spicy and BINPAC to provide further visibility into critical infrastructure networks. These protocol parsers are incorporated into the Malcolm tool suite.</p> <p>Melanie is passionate about simplifying security. Cybersecurity doesn’t need to be expensive or complicated. Melanie loves finding creative solutions to make the implementation of a basic security poster reachable, even among the smaller industries. Melanie is a strong believer in open-source software that benefits the entire community and wants to contribute to lasting impacts in critical infrastructure security.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_2 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-10-30, 10 am Pacific Time: Automated Zeek Builds and Adventures with the Management Framework</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Dop, ESNet</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_2IoasggoR42KMhoeav-ndQ">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>At ESnet, we pride ourselves on being cutting edge, even when we cut ourselves. Every new significant branch of zeek is automatically built and tested in Gitlab CI. Then, every night, the latest, successful ‘master’ build is deployed to a test system via ansible. As time permits, we roll out the latest build, in production, to over 40 servers. Through this process we’ve both been able to provide early feedback to the zeek project about potential bugs and give ourselves an early warning system when changes impact our production plugins and scripts.</p> <p>The second half of this talk will cover how we look to support the future of multi-node cluster environments. With the announcement of zeekctl’s eventual retirement we moved to systemd for process control. These days we’re looking at the new Zeek Management Framework. It’s a little confusing at first, but we’ll discuss what it takes to build a single system or a cluster, including what works and what doesn’t.</p> <h3><strong>Bio:</strong></h3> <p>Michael “Dop” Dopheide has spent the majority of his career working in the R&amp;E community specializing in systems engineering, security research, incident response, and network intrusion detection. He especially enjoys helping coworkers debug problems at the packet and protocol levels. In addition to his operational security role, Dop helps support the open source Zeek community and volunteers to beta test the SANS Holiday Hack challenge.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_3 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-11-13, 10 am Pacific Time: What’s in a Name – Hiding in Plain Sight</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Brian Olson, Meta</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_Hh0wmjsZR7yEIkVzybmhXQ">Register for this webinar here.</a></p> <h3>Abstract:</h3> <p>In our increasingly digital world, detecting malicious activities via DNS analysis has become crucial for cybersecurity. This presentation briefly discusses DNS basics, domain registration norms, and dives into several advanced detection techniques to enhance security measures and identify data exfiltration, C2 communications, and other malicious activities.</p> <h3>Bio:</h3> <div class="Qr7Oae" role="listitem"> <div class="OxAavc NVbRL" data-item-id="348388951" data-required="true"> <div class="Ih4Dzb"> <div aria-disabled="true" aria-label="Bio" class="q4tvle JqSWld yqQS1" role="textbox" tabindex="0">From his early IT days troubleshooting computers in entry-level positions to leading Verizon Media’s security operations team during the historic Yahoo Breach Remediation, Brian Olson has carved a unique path in cybersecurity. As Meta’s Threat Detection Engineering Manager and a Certified SANS Instructor, Brian’s 17-year journey through the nuances of cybersecurity operations showcases a blend of his offensive and defensive experience, underscored by a Master’s degree in Information Security and a B.S. in Information Technology. His passion for the field extends beyond professional boundaries, as evidenced by his commitment to educating the next generation of cybersecurity experts. When he’s not analyzing the latest threat, Brian enjoys traveling the world. Connect with Brian to delve into the insights of a seasoned cybersecurity leader who’s just as comfortable navigating the complexities of information security as he is exploring a random city anywhere in the world.</div> </div> </div> </div></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_4 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-11-06, 10 am Pacific Time: How Zeek Helps Secure Open Science</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Aaron J. Scantlin, National Energy Research Scientific Computing Center (NERSC)</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_RaVh0OdcRnG2EzhLNFiz7Q">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>The National Energy Research Scientific Computing (NERSC) Center, an enclave of Lawrence Berkeley National Lab, is an “open science” research facility dedicated to making HPC resources accessible for researchers and their data accessible to the world. In environments such as these, every CPU cycle spent on security is seen as a CPU cycle not spent on science – and to that end, the NERSC Security team relies heavily on Zeek to passively monitor up to 1Tbps of traffic traversing the border. Additionally, the NERSC Security team leverages Zeek (in conjunction with fluentd) as a “SIEM on a stick” to ingest SSH logs – join NERSC Security team member Aaron Scantlin for an overview of their use case, cluster architecture and maintenance processes.</p> <p> </p> <h3><strong>Bio:</strong></h3> <p>Aaron J. Scantlin is a cybersecurity engineer for the National Energy Research Scientific Computing (NERSC) Center at Lawrence Berkeley National Lab, as well as a former adjunct instructor in the College of Engineering at University of Missouri – Columbia. Aaron has been a Zeek Geek for so long he’s a Bro Bro! His first talk involving Zeek was a talk entitled “Home Network Security Monitoring on the Cheap” at SecKC in 2016 and he has found himself using Zeek in some capacity ever since. Energetic and passionate (sometimes to a fault), this talk will be sure to both inform and entertain.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_5 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-12-11,10 am Pacific Time: Zeek File Extraction and Automating Malware Analysis</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Seth Grover, Idaho National Lab representing DHS CISA</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_6CfZ3o3DRnuYE9o5G2sqwg">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>Zeek’s file analysis framework allows files transferred in observed network traffic to be extracted to disk, but what next? This presentation will cover how Malcolm (<a href="https://cisagov.github.io/Malcolm" rel="nofollow">https://cisagov.github.io/Malcolm</a>) uses Zeek’s file extraction capability, from configuring which files to extract to performing automated analysis of extracted files using open-source tools like YARA, capa, and ClamAV.</p> <h3><strong>Bio:</strong></h3> <p>Seth Grover is a software developer with twenty years of experience in cybersecurity-related network traffic analysis technologies. Much of Seth’s six years at the Idaho National Lab has been spent focused on the creation and development of Malcolm, an open source network traffic analysis tool suite providing visibility into IT and OT network communications. He accepted a seat on the Zeek LT in 2023. Seth and his wife Andrea are the proud parents of four daughters, a yellow lab named Peach, and a tuxedo cat named Toad.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --> </div> <!-- .et_pb_accordion --><div class="et_pb_module et_pb_accordion et_pb_accordion_2 pa-toggle-open-close"> <div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_6 et_pb_toggle_open"> <h5 class="et_pb_toggle_title">2024-10-16, 10 am Pacific Time: Zeek@Meta: Scale, Log Enrichment and Detections</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Hamza Motiwalla, Network Threat Detection, Meta Platforms Inc</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_5ROOBD2OSOCzVlfgLriAQg">Register for this webinar here.</a></p> <h3><strong>Abstract:</strong></h3> <p>The ever-evolving threat landscape has made network security monitoring (NSM) imperative for Meta to safeguard assets and provide crucial network forensics. To address this need, we deploy Zeek and Suricata using commodity hardware across our network infrastructure. This presentation will dive into tap deployments at scale for our enterprise network (logging 15 billion connections daily), establish the need for downstream conn.log enrichment (IP-&gt;Hostname attribution) and give an overview of the active network detections across our network boundaries.</p> <h3><strong>Bio:</strong></h3> <p>Hamza is a Network Threat Detection Engineer at Meta. He spent the last year optimizing and maintaining the Network Security Monitoring (Zeek/Suricata) infrastructure stack at Meta. He studied MS in Computer Science at the University Of Colorado Boulder with a focus in Systems and Networking. He is also certified as a GIAC Network Forensics Analyst. Hamza enjoys trail running and unwinding at San Francisco Bay Area parks.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_7 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-09-25, 5 pm Pacific Time: How to visualize OT/ICS networks for security measures</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Jiajian Zheng, Jia Wang, NTT Communications</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_hCb5irezSFiuvM1Cz2l2MQ">Register for this webinar here.</a></p> <h3>Abstract:</h3> <p>OT (Operational Technology) / ICS (Industrial Control Systems) are specialized computing systems used to manage, monitor, and control physical devices, processes, and infrastructure in industries such as manufacturing, energy, transportation, and public works.</p> <p>Ensuring the normal and safe operation of OT/ICS is of paramount importance since the interruption of an OT/ICS due to cyberattacks may lead to halting production line, resulting in delays in product delivery and substantial financial losses. However, considering system availability, implementing EDR or updating operating systems and software packages in OT/ICS cannot be conducted in the same way as in IT systems. Thus, we aim to visualize and manage OT/ICS by leveraging Zeek, employing a method that does not impact the OT system but instead mirrors the communication data between OT devices.</p> <p>There are two major challenges. First, the communication between OT/ICS devices relies on proprietary protocols that vary by manufacturer. Nevertheless, Zeek lacks support for these diverse OT/ICS protocols or fails to provide sufficient log information. On the other hand, although a parser has been implemented, another considerable obstacle lies in the absence of the PCAP files to verify the accuracy of the parser.</p> <p>This presentation introduces the implementation process of CC-Link, the dominant protocol utilized in Japan PLC, and illustrates visualized images of the OT/ICS through generated log data. Lastly, it clarifies the types of security problems that can be resolved by this strategy.</p> <h3>Bio:</h3> <h4>Jiajian Zheng:</h4> <p>Jiajian Zheng is currently working as a development engineer at NTT Communications. He received his B.E. and M.E. in Computer and Network Engineering from The University of Electro-Communications in 2019 and 2021. In 2021, He joined NTT Communications, where he worked on the development of the OT/ICS security.</p> <h4>Helen:</h4> <p>Jia Wang received her M.I. degree in Informatics from Yokohama National University, Japan. She was honored with the Best Presentation Award at the 6th International Conference on Cryptography, Security, and Privacy in 2022. She is currently working as a development engineer at NTT Communications. Her professional interests encompass network monitoring, IT/OT security, and blockchain security.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --><div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_8 et_pb_toggle_close"> <h5 class="et_pb_toggle_title">2024-09-18, 10 am Pacific Time: Don't be SADF: Make sure your input traffic is healthy</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Justin Azoff, Corelight</h4> <p><a href="https://us06web.zoom.us/webinar/register/WN_0f8PZieFSVKQnHoi0it_lw">Register for this webinar here.</a></p> <h3><b>Abstract:</b></h3> <p>In order for Zeek to work properly the traffic fed into it needs to be healthy. There are a number of pitfalls like incorrectly wired optical taps or improperly configured load balancing that can cause analysis issues. In most situations Zeek will run and produce log files, but log entries may be missing, incomplete, or contain duplicate information. We can use the Zeek logs to determine if everything is working properly. However, discovering that there is problem is often the easy part. A separate group may be in charge of the physical networking layer and they are not expected to be Zeek experts. If something is wrong, how can the problem be quantified and explained in a language that non Zeek experts can understand?</p> <h3><b>Bio:</b></h3> <p>Justin Azoff has been working in the network security field for 20 years. He has been deploying and using Zeek since 2008, and has been supporting Zeek sensors at Corelight on diverse customer networks for five years.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --> </div> <!-- .et_pb_accordion --><div class="et_pb_module et_pb_accordion et_pb_accordion_3 pa-toggle-open-close"> <div class="et_pb_toggle et_pb_module et_pb_accordion_item et_pb_accordion_item_9 et_pb_toggle_open"> <h5 class="et_pb_toggle_title">2024-08-21, 10 am Pacific Time: Zeek Roadmap</h5> <div class="et_pb_toggle_content clearfix"><h4>Speaker: Christian Kreibich, Corelight</h4> <h4>Slides: <a href="https://docs.google.com/presentation/d/14EcZSDpf6uRmDo9XMT3B-t18wuZP5yFhwUkhLBw5Qsg/edit?usp=sharing">here</a></h4> <h3><b>Abstract:</b></h3> <p>Christian Kreibich is going to give an overview of Zeek 7 and the upcoming project roadmap.</p> <h3><b>Bio:</b></h3> <p>Christian is the technical lead of the Zeek project, and an engineer at Corelight. Previously he built and led the networking team at Lastline, served on the OISF advisory board, and was a staff researcher at the International Computer Science Institute. He holds a PhD from the University of Cambridge.</p></div> <!-- .et_pb_toggle_content --> </div> <!-- .et_pb_toggle --> </div> <!-- .et_pb_accordion --> </div> <!-- .et_pb_column --> </div> <!-- .et_pb_row --> </div> <!-- .et_pb_section --> </div><!-- .et_builder_inner_content --> </div><!-- .et-l -->