Virtual ZeekWeek 2020 is free to attend, but registration is required. 
Back To Schedule
Wednesday, October 14 • 10:20am - 10:40am
Day 2 - Zeek Agent: Correlating Host and Network Logs for Better Forensics - Wajih Ul Hassan LIMITED

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Zeek Agent: Correlating Host and Network Logs for Better Forensics

Summary: I'll present Zeek Agent, an open source endpoint monitoring framework that seamlessly correlates endpoint activity with Zeek network logs. I'll talk about Zeek Agent architecture, implementation, and its use-cases.

Abstract: There's a potentially great power for security analysis in having both endpoint and network visibility, but one big challenge is how to tie the two together in a meaningful way. In this talk, I’ll present Zeek Agent, an endpoint monitoring tool that provides deeper visibility into organization-wide activities through transparently observing endpoint activity and correlating it with Zeek network logs. I’ll describe the design and implementation of the Zeek Agent framework and the techniques that we employ to derive correlations between host and network logs. Later in this talk, I’ll explain how we use the notion of causal analysis on the correlated host and network logs to accelerate the threat investigation process. Causal analysis can generate contextual history around the alert through automatically reconstructing the chain of events that lead to the alert event. Using such analysis, security analysts can better understand alerts without needing to write long ad-hoc queries to chain together context during threat investigation. Finally, I’ll present an attack case study to show the effectiveness of the causal analysis technique during attack investigation.

Slack Channel for this session - #vzw-day2-talk5-zeek-agent
Haven't joined the Zeek Slack space yet you can do so at:

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9


Wajih Ul Hassan

Research Intern, Corelight, Inc.
Wajih Ul Hassan is a Ph.D. candidate in the CS Department of the University of Illinois at Urbana Champaign, where he is advised by Adam Bates. His research interests are in system and network security, with an emphasis on intrusion detection, forensic analysis, and data provenance... Read More →

Wednesday October 14, 2020 10:20am - 10:40am PDT
Online - Zoom Meeting Room