Bringing Bro to the Enterprise Comprehensive Visibility & Response for Every Corner of Your Network Robin Sommer International Computer Science Institute, & Broala, LLC robin@icsi.berkeley.edu robin@broala.com http://www.icir.org/robin
Outline Bro Overview A production-quality open-source network monitor. A Bit of Bro History From academic research to enterprise deployment. Enterprise Solutions Roadmap for deep visibility and control. 2 Bringing Bro to the Enterprise
The Bro Platform Open Source BSD License Analysis Network Intrusion Vulnerability Traffic Compliance Traffic Control Visibility Detection Management Measurement Monitoring Programming Language Standard Library Platform Packet Processing Tap Network 3 Bringing Bro to the Enterprise
“What Can It Do?” Custom Log Files Alerts Logic “Network ground truth” 4 Bringing Bro to the Enterprise
Bro’s Log Files Rich, structured, real-time activity streams. Network Traffic Logs Bro 5 Bringing Bro to the Enterprise
Connections Logs conn.log Timestamp ts 1393099415.790834 Unique ID CSoqsg12YRTsWjYbZc uid Originator IP 2004:b9e5:6596:9876:[…] id.orig_h Originator Port 59258 id.orig_p Responder IP 2b02:178:2fde:bff:[…] id.resp_h Responder Port 80 id.resp_p IP Protocol tcp proto App-layer Protocol http service Duration 2.105488 duration Bytes by Originator 416 orig_bytes Bytes by Responder 858 resp_bytes TCP state SF conn_state Local Originator? F local_orig Gaps 0 missed_bytes State History ShADafF history Outer Tunnels tunnel_parents Cneap78AnVWoA1yml 6 Bringing Bro to the Enterprise
HTTP http.log ts 1393099291.589208 uid CKFUW73bIADw0r9pl id.orig_h 2a07:f2c0:90:402:41e:c13:6cb:99c id.orig_p 54352 id.resp_h 2406:fe60:f47::aaeb:98c id.resp_p 80 method POST host com-services.pandonetworks.com uri /soapservices/services/SessionStart referrer - user_agent Mozilla/4.0 (Windows; U) Pando/2.6.0.8 status_code 200 username anonymous password - orig_mime_types application/xml resp_mime_types application/xml 7 Bringing Bro to the Enterprise
SSL ssl.log ts 1392805957.927087 uid CEA05l2D7k0BD9Dda2 id.orig_h 2a07:f2c0:90:402:41e:c13:6cb:99c id.orig_p 40475 id.resp_h 2406:fe60:f47::aaeb:98c id.resp_p 443 version TLSv10 cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA server_name www.netflix.com CN=www.netflix.com,OU=Operations, subject O=Netflix, Inc.,L=Los Gatos, ST=CALIFORNIA,C=US CN=VeriSign Class 3 Secure Server CA, issuer_subject OU=VeriSign Trust Network,O=VeriSign, C=US not_valid_before 1389859200.000000 not_valid_after 1452931199.000000 client_subject - client_issuer_subject - cert_hash 197cab7c6c92a0b9ac5f37cfb0699268 validation_status ok 8 Bringing Bro to the Enterprise
Software software.log ts 1392796839.675867 host 10.209.100.2 host_p - software_type HTTP::BROWSER name DropboxDesktopClient version.major 2 version.minor 4 version.minor2 11 version.minor3 - version.addl Windows DropboxDesktopClient/2.4.11 unparsed_version (Windows; 8; i32; en_US; Trooper 5694-2047-1832-6291-8315) 9 Bringing Bro to the Enterprise
Files files.log ts 1392797643.447056 fuid FnungQ3TI19GahPJP2 tx_hosts 191.168.187.33 rx_hosts 10.1.29.110 conn_uids CbDgik2fjeKL5qzn55 source SMTP analyzers SHA1,MD5 mime_type application/x-dosexec filename Letter.exe duration 5.320822 local_orig T seen_bytes 39508 md5 93f7f5e7a2096927e06e[…]1085bfcfb sha1 daed94a5662a920041be[…]a433e501646ef6a03 10 Bringing Bro to the Enterprise
“What Can It Do?” Custom Log Files Alerts Logic “Watch this!” “Don’t ask what Bro can do. “Network Ground Truth” Ask what you want it to do.” Record & trigger actions 11 Bringing Bro to the Enterprise
Typical Deployment Internet 1/10G Border Gateway Bro Logs & Alerts Bro Bro NIC Bro 1/10G Bro Bro System LAN 12 Bringing Bro to the Enterprise
Cluster Deployment Internet 100G Border Gateway Load-balancer 100G 10G 10G 10G 10G Logs & Alerts LAN NIC NIC NIC NIC Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Node Node Node Node Bro Cluster 13 Bringing Bro to the Enterprise
“Who’s Using It?” Installations across the Country BroCon 2015, MIT Universities Research Labs Supercomputing Centers Update Government Organizations Fortune 20 Enterprises Community 50/90/150/180 attendees at BroCon ’12/’13/’14/‘15 110 organizations at BroCon ‘15 Fully integrated into Security Onion 4,500 Twitter followers 1,000 mailing list subscribers Popular security-oriented Linux distribution 100 users average on IRC channel 10,000 direct downloads / version from 150 countries 14 Bringing Bro to the Enterprise
A Bit of Bro History From Academic Research To Enterprise Deployment 15 Bringing Bro to the Enterprise
Bro History Host Context Academic Time Machine Enterprise Traffic Publications Summary Stats HILTI TRW DPI Concurrency State Mgmt. PLC Modeling Bro Cluster Independ. State Shunt NetControl Anonymizer Parallel Prototype Input Framework VAST Active Mapping BinPAC Tor Traffic Backdoors Context Signat. DPD SSL Trust USENIX Paper Stepping Stones 2nd Path Autotuning Relationships 2015 2016 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 v2.4 Broker, v2.2 Plugins, Vern File Analysis v2.0 DTLS/KRB v0.7a90 v1.5 v0.2 v0.6 v0.8aX/0.9aX writes Summary Stats User Experience v1.1/v1.2 Profiling BroControl 1st CHANGES RegExps SSL/SMB 1st line when Stmt State Mgmt entry Login analysis STABLE releases of code v2.1 v2.3 Resource tuning BroLite Bro SDCI IPv6 Performance Broccoli Input Framew. SNMP, DPD Radius, SSL++ v0.4 v0.7a175/0.8aX v1.4 v1.0 LBNL starts HTTP analysis Signatures DHCP/BitTorrent BinPAC using Bro Bro Center Scan detector SMTP HTTP entities IRC/RPC analyzers operationally IP fragments IPv6 support NetFlow 64-bit support Linux support User manual Bro Lite Deprecated Sane version numbers v0.7a48 v1.3 0.8a37 Consistent Ctor expressions Communication GeoIP Persistence CHANGES Conn Compressor Namespaces Log Rotation 16 Bringing Bro to the Enterprise
A Tale of Two Users Science & Higher Education Enterprises & Government Happy to experiment. Used to purchasing solutions. Used to open-source software. Require reliable point of contact. Driven by skilled individuals. Avoid dependence on individuals. Limited funding. More flexible budgets. Bro Center of Expertise 17 Bringing Bro to the Enterprise
Enterprise-grade Bro solutions, from the creators of Bro. Commercial Bro support plans. Plug & play Bro appliances. Bro logs and file extraction. Export to Kafka, Splunk, Syslog, SFTP. Aggressively tuned for performance. Zero maintenance, ready for the future. BroBox One Visibility, made elegantly simple. 18 Bringing Bro to the Enterprise
Advantage: Integration With BroBox One we are controlling the full stack. Bro Bro NIC Bro Bro Bro 1 year Bro System We can take integration much further, while maintaining the open-source spirit. 19 Bringing Bro to the Enterprise
Enterprise Solutions Roadmap for deep visibility and control 20 Bringing Bro to the Enterprise
Monitoring Enterprise Environments From perimeter to internal. From standalone to coordinated. From passive to active. Enterprise Network Bro’s open-source roadmap is full of Enterprise functionality to Network support all of this. 21 Bringing Bro to the Enterprise
Monitoring Internal Tra ffi c LBNL’s Pragmatic Approach: The “Internal Cluster” Load-balancer Subnet 2 Subnet 4 Subnet 1 Subnet 3 10G 10G 10G 10G NIC NIC NIC NIC Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Bro Node Node Node Node Bro Cluster 22 Bringing Bro to the Enterprise
Vision: Deep Cluster Example: Geographically distributed organization. Config. & Logs & Bro Global Master Mgmt. Alarms Regional Heads Bro Bro Bro Bro US UK FR CN Local Clusters Bro Bro Bro Bro Bro Bro Bro Bro 23 Bringing Bro to the Enterprise
Foundation: Broker Bro’s new unified communication library. Log forwarding. Public/subscribe. Event exchange. APIs for Bro, C++, C, Python. Global key/value stores. BSD license. http://github.com/bro/broker 24 Bringing Bro to the Enterprise
Global Coordination with Broker Config. & Logs & Bro Mgmt. Alarms Data Store Global Events State Bro Bro Bro Bro Data Data Data Data Store Store Store Store US UK FR CN Bro Bro Bro Bro Bro Bro Bro Bro Global state through persistent data stores. Global correlation through message passing. 25 Bringing Bro to the Enterprise
Bro’s Summary Statistics “Bro’s version of MapReduce.” Observation Reducer Statistical Framework Results & Outputs Sensor 1 Observation Reducer Result Values Tap Notify Master & Poll Summary Observation Reducer Result Merger Result Statistics Predicate Sensor n y Observation Reducer Result f i Merger Result t Trigger o l N l o P & Tap Values Observation Reducer Result Comes with Bro for the classic cluster. Deep Cluster support in planing. 26 Bringing Bro to the Enterprise
Recommend
More recommend