Loading…
Virtual ZeekWeek 2020 is free to attend, but registration is required. 

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Day 2 - User Track [clear filter]
Wednesday, October 14
 

9:00am PDT

Day 2 - Welcome /LT Introductions and Governance Update - Keith Lehigh
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).


Slack Channel for this session - #vzw-day2-talk1-welcome-lt-introductions-and-governance
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Keith Lehigh

Keith Lehigh

University Information Security Officer, Indiana University
I lead a team of security engineers at Indiana University as my day job.  I've been involved in the Zeek community for 10+ years in a variety of ways.  When I'm not working, I'm probably cooking or grilling.



Wednesday October 14, 2020 9:00am - 9:20am PDT
Online - Zoom Meeting Room

9:20am PDT

Day 2 - An Overview of Zeek Performance - Vern Paxson
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Achieving high performance has been a central goal for Zeek’s
operation since its original design. We’ll discuss the different
elements that go into Zeek’s overall performance, how its architecture
has evolved over the years to support faster processing, and a new
approach I’ve developed for optimizing Zeek script execution.


Slack Channel for this session - #vzw-day2-talk2-zeek-performance
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9



Speakers
avatar for Vern Paxson

Vern Paxson

Professor of Computer Science at UC Berkeley and Zeek (fka Bro), Co-founder and Chief Scientist at Corelight, Inc.
Vern is co-founder and Chief Scientist at Corelight, and Professor of Computer Science at UC Berkeley.  A prolific and internationally-recognized researcher, Vern also leads the Networking and Security Group at the International Computer Science Institute and for decades held a position... Read More →



Wednesday October 14, 2020 9:20am - 9:40am PDT
Online - Zoom Meeting Room

9:40am PDT

Day 2 - I have an IT inventory! Now what? - Nick Turley
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

I have an IT inventory! Now what? - Nick Turley

Summary: Zeek is not only a powerful platform for network security analysis, but Zeek can also play an important role in identifying, classifying, and inventorying your systems. Learn about the importance of contextual enrichment and correlation in Zeek for security and IT operations.

Abstract: Zeek is not only a powerful platform for network security analysis, but Zeek can also play an important role in your overall IT enterprise and operations strategy. Many organizations struggle with the ability to build and maintain inventory, apply real-time contextual enrichment, and understand the "hidden issues" that can lead to larger operational problems down the road. Using Zeek's powerful Input Framework, you can provide real-time data enrichment that can help bridge gaps with your inventory/CMDB platforms and help you find answers to important security and operational questions about your environment.

Slack Channel for this session - #vzw-day2-talk3-it-inventory
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
NT

Nick Turley

BYU
Nick Turley is an IT Enterprise Architect at Brigham Young University where he is responsible for directing technology-related architectural efforts, including security and SecOps architecture. Nick has held prior roles as a software engineer, penetration tester, security manager... Read More →



Wednesday October 14, 2020 9:40am - 10:00am PDT
Online - Zoom Meeting Room

10:00am PDT

Day 2 - Is Weird still weird? Take-2 @ESnet - Fatema Bannat Wala
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Is Weird still weird? Take-2 @ESnet - Fatema Bannat Wala

Summary: This presentation is going to be about the findings and resolution done to mitigate some of the heavily triggered weirds at ESnet network. Similar to the analysis done in an earlier version of this talk back in 2018 (Is weird really weird?), however this time, it's new findings on the different network.

Abstract: The weird log file is one of the most interesting log files to analyze that Zeek generates. It reveals information about network activity that is not categorized as normal according to the TCP/IP and other protocol standards. I started to pay more attention to the weird.log file for the last few years and there was a talk related to the same in 2018, which talked about the network misconfigurations found and how they were fixed, based on the weird.log file analysis. Similarly, this time as well, the talk is going to be presenting findings and results done on the ESnet's network traffic, and whether they are really ‘weird’, or just a misconfigured application or misconfigured firewall rules, which is causing the weird patterns in the traffic.

Slack Channel for this session - #vzw-day2-talk4-is-weird-still-weird
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Fatema Bannat Wala

Fatema Bannat Wala

ESNet
I am a big fan of Zeek and a security enthusiast , working in the industry as a Security Engineer for past 5 years. Recently I joined ESnet's security team where I work on the centralized SIEM solution, making IDS/NSM monitoring better and doing IR and threat hunting.



Wednesday October 14, 2020 10:00am - 10:20am PDT
Online - Zoom Meeting Room

10:20am PDT

Day 2 - Zeek Agent: Correlating Host and Network Logs for Better Forensics - Wajih Ul Hassan
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Zeek Agent: Correlating Host and Network Logs for Better Forensics

Summary: I'll present Zeek Agent, an open source endpoint monitoring framework that seamlessly correlates endpoint activity with Zeek network logs. I'll talk about Zeek Agent architecture, implementation, and its use-cases.

Abstract: There's a potentially great power for security analysis in having both endpoint and network visibility, but one big challenge is how to tie the two together in a meaningful way. In this talk, I’ll present Zeek Agent, an endpoint monitoring tool that provides deeper visibility into organization-wide activities through transparently observing endpoint activity and correlating it with Zeek network logs. I’ll describe the design and implementation of the Zeek Agent framework and the techniques that we employ to derive correlations between host and network logs. Later in this talk, I’ll explain how we use the notion of causal analysis on the correlated host and network logs to accelerate the threat investigation process. Causal analysis can generate contextual history around the alert through automatically reconstructing the chain of events that lead to the alert event. Using such analysis, security analysts can better understand alerts without needing to write long ad-hoc queries to chain together context during threat investigation. Finally, I’ll present an attack case study to show the effectiveness of the causal analysis technique during attack investigation.

Slack Channel for this session - #vzw-day2-talk5-zeek-agent
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
WU

Wajih Ul Hassan

Research Intern, Corelight, Inc.
Wajih Ul Hassan is a Ph.D. candidate in the CS Department of the University of Illinois at Urbana Champaign, where he is advised by Adam Bates. His research interests are in system and network security, with an emphasis on intrusion detection, forensic analysis, and data provenance... Read More →



Wednesday October 14, 2020 10:20am - 10:40am PDT
Online - Zoom Meeting Room

10:40am PDT

Day 2 - BSD Honeypots with Zeek - Of course it runs on BSD - Michael Shirk
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

BSD Honeypots with Zeek - Of course it runs on BSD

Summary: I did a talk at BSDCan 2020 highlighting the use of BSD as a platform for honeypots. Central to this talk was the use of Zeek and the intel framework to correlate all of this data together while utilizing FreeBSD jails to separate the honeypot from Zeek. I emulated services using a honeypot Python framework in one jail, while using Zeek to monitor all of the traffic going towards the jail. I intend to update this talk to be more focused on the setup of Zeek.

Abstract: In the past, there was some interest in the setting up of honeypots on BSD operating systems with tools like honeyd. Honeypots attempt to capture malicious code, network worms and attackers by emulating vulnerable services using a variety of methods. An opportunity came up for me to try to capture some malicious code using a simple setup with Zeek and FreeBSD jails. The setup was simple and easy to replicate as a way to perform security research on current attacks across the Internet and correlate with other threat sources for analysis.

Slack Channel for this session - vzw-day2-talk6-bsd-honeypots
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Michael Shirk

Michael Shirk

Daemon Security
Michael Shirk is a BSD zealot who has worked with OpenBSD and FreeBSD for over 15 years. He works in the security community and supports open source security products that run on BSD operating systems (Snort, Suricata, Zeek, AIDE).



Wednesday October 14, 2020 10:40am - 11:00am PDT
Online - Zoom Meeting Room

11:20am PDT

Day 2 - Using Zeek in ESnet6 management network security monitoring - Scott Campbell
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Summary: ESnet is building a greenfield implementation for its next generation network. This presentation describes how we are using Zeek as an integral part of our monitoring and security strategy, focusing on architecting traffic patterns to maximize intruder visibility as well as providing critical feedback on device misconfiguration.

Abstract: ESnet is building a greenfield implementation for its next generation network. In it the Management plane represents the command and control infrastructure of our network, so security has to be a significant component of its design and operation. This presentation describes how we are using Zeek as part of our monitoring and security strategy, focusing on architecting traffic patterns to maximize intruder visibility as well as providing critical feedback on device misconfiguration.

Slack Channel for this session - #vzw-day2-talk7-zeek-in-esnet6
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Scott Campbell

Scott Campbell

ESNet
I have been at Lawrence Berkeley National Lab since 2001 working in the security groups for high performance computing (NERSC) as well as scientific networking (ESnet). This whole time I have been using Zeek for a variety of interesting things, and have done quite a bit of research... Read More →



Wednesday October 14, 2020 11:20am - 11:40am PDT
Online - Zoom Meeting Room

11:40am PDT

Day 2 - A Structural Approach to Modeling Encrypted Connections - Anthony Kasza
Limited Capacity seats available

A Structural Approach to Modeling Encrypted Connections - Anthony Kasza

Summary: Attendees will gain insights into a proven and scalable method for analyzing encrypted flows without breaking and inspecting their contents. This talk is meant to expand the audience's understanding of techniques for summarizing network connections and approaches to encrypted traffic analysis. The mechanism of the SSH, SSL, and RDP protocols will be explored using both techniques.

Abstract: To weary network users, encryption provides privacy for data in transit. To network operators and security analysts, encryption hinders visibility. Breaking encryption and inspecting content can be costly and error prone. By analyzing the lengths and ordering of encrypted data exchanged throughout a connection (i.e., signals that don't require breaking encryption) network monitoring systems can infer protocol state without parsing the content of the connection. By modeling a protocol's state transitions and overlaying that model on a connection's sequence of lengths (SOL), inferences can be made about how the protocol is being use. This provides a sort of compromise between privacy and visibility. Attendees will gain insights into a proven and scalable method for analyzing encrypted flows without breaking and inspecting their contents. This talk is meant to expand the audience's understanding of techniques for summarizing network connections and approaches to encrypted traffic analysis. The mechanism of the SSH, SSL, and RDP protocols will be explored using both techniques.

Slack Channel for this session - #vzw-day2-talk8-modeling-encrypted-connections
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Anthony K

Anthony K

Technical Director, Corelight, Inc.
Anthony Kasza is a Technical Director for Corelight. At Corelight, Anthony is responsible for developing prototypes that provide insights into network activity. Prior to working at Corelight, Anthony was responsible for discovering new and tracking known threats, creating scalable... Read More →



Wednesday October 14, 2020 11:40am - 12:00pm PDT
Online - Zoom Meeting Room

12:00pm PDT

Day 2 - Zeek, and Splunk, and Alertus, oh My - Brian Allen
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Zeek, and Splunk, and Alertus, oh My - Brian Allen

Summary: Learn how to find useful information at the intersection of Zeek, Splunk, and Alertus logs

Abstract: WashU has a communication tool called Alertus which is used to share info with every user on campus during an emergency. The Alertus clients are very chatty and include a lot of useful information when they phone home. Zeek sees this, so we looked for ways to use that data in Splunk. We'll look at some ways we added Alertus user data to Splunk searches to track down machines on campus.

Slack Channel for this session - #vzw-day2-talk9-zeek-splunk-and-alertus
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Brian Allen

Brian Allen

Information Security Manager, Washington University in St. Louis
Brian Allen started in IT as a Unix admin in 2000, and has been working in information security at Washington University for 14 years



Wednesday October 14, 2020 12:00pm - 12:20pm PDT
Online - Zoom Meeting Room

12:20pm PDT

Day 2 - How to set your logs on fire with Emoji-🔥 - Benjamin Berens & Jan Grashöfer
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

How to set your logs on fire with Emoji-🔥 - Benjamin Berens & Jan Grashöfer

Summary: First Jan will present the idea of the Emojifier, explain how we
implemented it and how the Emojifier can be extended (~10min). Then
Benjamin will give a brief introduction to our plans to investigate
potential benefits of applying the emojifier in production or education
(~2min). Finally we would like to discuss the Emojifier's practical
relevance with the audience (using polls, if possible).

Abstract: The Emojifier is a small Zeek script that saw the of the day in the
first Zeek contest. The script extends Zeek's connection log with
emojies that visualize special properties of a connection. In our talk
we will describe how we brought color into Zeek logs and present our
plan to investigate possible real- applications. Finally, we would
like to learn: What do you think about in your logs?

Slack Channel for this session - #vzw-day2-talk10-how-to-set-your-logs-on-fire-with-emojji
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Jan Grashöfer

Jan Grashöfer

KIT - Karlsruher Institute for Technology
Jan is a PhD student at Karlsruhe Institute of Technology (KIT). In his research he focuses on performance aspects of network monitoring. Jan started to work with Zeek in 2015. Among his contributions are the AF_Packet plugin and a rework of the intelligence framework.
avatar for Benjamin Berens

Benjamin Berens

KIT - Karlsruher Institute for Technology
Benjamin is a PhD candidate at Karlsruhe Institute of Technology (KIT).In his research he focuses on various security aspects in conjunctionwith human factors. Benjamin tries to help users get more familiar withand enjoy using IT security.



Wednesday October 14, 2020 12:20pm - 12:40pm PDT
Online - Zoom Meeting Room

12:40pm PDT

Day 2 - Gamification of Zeek: Demonstrating the Power of Zeek through CTFs - Aaron Soto
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Gamification of Zeek: Demonstrating the Power of Zeek through CTFs - Aaron Soto   ABSTRACT:  If you're at ZeekWeek 2020, I'll bet it's because you love Zeek. You try to show it off to your peers. You might even talk about it at parties. (That's ill advised -- doubly-so in 2020.) But how can you really show off Zeek?Capture The Flag (CTF) exercises are popular in Information Security because they give participants the chance to see attacks, tools, and techniques in practice. So, I (along with Matt Bromiley and members of Corelight) created a CTF at ZeekWeek 2019, aiming to show off the pure usefulness of open-source Zeek. Over the past year, it has exploded in popularity and has introduced hundreds of people to Zeek data. In this talk, I'll discuss how we created the event, what we've learned along the way, and what we'd do differently. My hope is that this talk inspires you to participate in CTFs and also to change the way you show off your love of Zeek.

Slack Channel for this session -#vzw-day2-talk11-gamification-of-zeek
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Aaron Soto

Aaron Soto

Director of Learning, Corelight, Inc.
Aaron Soto is at Corelight, training users on the Zeek (formerly Bro) network monitoring platform. He was recently on Rapid7's Metasploit team. In his off-time, he enjoys endurance automotive racing.



Wednesday October 14, 2020 12:40pm - 1:00pm PDT
Online - Zoom Meeting Room

1:00pm PDT

Day 2 - Community/2021 Strategic Plan Update
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

In this talk, Amber will go over the high level strategic Zeek Community goals for the 2021. She'll also go over stats from the past year to highlight the amazing work being done by you, the Zeek Community. In this talk she'll go over various ways that you can get involved and help shape the future of the Zeek Project.

Slack Channel for this session - #vzw-day2-talk12-community-strategic-plan-update
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9

Speakers
avatar for Amber Graner

Amber Graner

Director of Community, Corelight, Inc.
Amber’s open source journey started in 2009 when she started blogging about Ubuntu. Since then she’s written for Ubuntu User Magazine, co-authored The Official Ubuntu Book (6th & 7th edit.) and served as a technical reviewer for Jono Bacon’s Art of Community. She was the first... Read More →



Wednesday October 14, 2020 1:00pm - 1:20pm PDT
Online - Zoom Meeting Room

1:20pm PDT

Day 2 -Going Beyond Alerts - Maximizing Network Defense with Suricata 6.0
Limited Capacity seats available

You MUST register through eventbrite to gain access to this session (Day 2).

Securing a network often begins with the ability to generate alerts when malicious or
non-standard network traffic is observed. This is routinely accomplished through intrusion
detection and prevention systems (IDPS) such as Suricata, as well as other open-source tools.
Unfortunately, an alert only provides a narrow view into a possible incident. Data surrounding an
alert also needs to be available to help an analyst build context before and after an alert. In this
talk, we’ll introduce the latest features available in the newly released Suricata 6.0 and discuss
how protocol-specific logs, full-packet capture and other features of Suricata and Zeek can be
used to build a more comprehensive view into an organization’s network. This context allows for
an organization to understand the threats they face and gives them the ability to respond to
incidents quickly and more accurately.


Slack Channel for this session -
Haven't joined the Zeek Slack space yet you can do so at:
https://join.slack.com/t/zeekorg/shared_invite/zt-cgz9wa7p-BXihgVtZlmnRfHZXmUltZQ

Link to Session Survey - https://forms.gle/aFCTXniakuJGi7YN9


Wednesday October 14, 2020 1:20pm - 1:40pm PDT
Online - Zoom Meeting Room
 
  • Timezone
  • Filter By Date Virtual ZeekWeek 2020 Oct 13 -15, 2020
  • Filter By Venue online
  • Filter By Type
  • Day 1 Training
  • Day 2 - User Track
  • Day 3 - Developer Track