Join LookingGlass CTO Allan Thomson at the API conference this November, where he will be presenting:

Zeek-Based Threat Detection & Hunting

This presentation describes how a common open-source tool Zeek (Bro) that has been used, until today, been used primarily for threat detection and visibility can be extended for threat hunting as well providing threat response including mitigation of attacks.

Today Zeek/Bro has a large open-source and active community that contributes using Zeek/Bro scripts that include detecting attacks including Heartbleed
and many other behavioral based detections.

This presentation will have the following structure:

  • Introduction to Zeek/Bro event-based detection techniques including behavioral detection aspects
  • Show those detection techniques can be applied to Threat Hunting
  • Show how detection can be mapped to MITRE ATT&CK framework to provide the audience with a common taxonomy on what Zeek/Bro does
  • Introduction how Zeek/Bro event-based programming model can be extended for threat mitigation and response and what the benefits of those
    extensions would provide orgs
  • Show specific Zeek/Bro examples that highlight the power of extending the Zeek/Bro paradigm.
    • including simple actions such as being able to respond to Heartbleed after it is detected to then respond with a mitigation action to stop the behavior
      progressing through the kill-chain.
  • Highlight how this framework can be further extended for automation across a network of sensors and mitigation driven by orchestration tools
    • show how Zeek/Bro fits into orchestration tools including possible playbooks that are written for security operations that tie detection with automated mitigation
  • Summarize the approach to detection & threat hunting with Zeek/Bro
Learn More


About the Speakers

  • Allan Thomson

    Allan Thomson
    CTO, LookingGlass Cyber Solutions, Inc.

    As LookingGlass Chief Technology Officer, Allan leads technical strategy, architecture and product technology across all LookingGlass Threat Intelligence product lines including Threat Response systems. Allan is a key contributor to STIXv2 standards and co-chair of STIX/TAXIIv2 Interoperability sub-committee including STIXPreferred certification program. Prior to LookingGlass, Allan served as Principal Engineer at Cisco Systems, Inc., where he led the software architecture and design of the company’s Cyber Threat Defense System and Platform Exchange Grid. He was responsible for overall systems management and security telemetry collection/ aggregation, as well as distributed threat analysis/intelligence services in multi-tenant public and private cloud deployments.