Sponsored by:
BroCon ‘14
Security is BroCon
BroCon ‘14 offers the Bro community a chance to share experiments, successes, and failures to better understand and secure our networks. The convention is composed of talks and training exercises from the Bro development team as well as fellow users and enthusiasts.
Location and Dates
BroCon ‘14 will occur on August 18th-20th, 2014, at the National Center for Supercomputing Applications in Urbana, Illinois. Each morning the conference will begin with breakfast at 8:00am at NCSA. Monday’s and Tuesday’s agendas end at 5:00pm with a welcome event planned Monday night. Wednesday’s agenda is shortened to noon to give remote attendees a head start on traveling home. For those who can stay after lunch on Wednesday we offer a tour of Blue Waters.
Registration
The conference attendance fee is $50.00. Registration is closed.
Agenda
Note: Contact us at info@bro.org to request training exercise solutions.
Monday, August 18
8:00 a.m. Breakfast and Registration
9:00 a.m. Host Remarks and Introduction
9:15 a.m. Team Presentation
10:15 a.m. Break
10:45 a.m. Nick Buraglio - ESnet
Best practices for Securing the Science DMZ (Slides) (Video)
The Science DMZ model is a widely deployed and accepted architecture allowing for movement and sharing of large-scale data sets between facilities, resources, or institutions. In order to help assure integrity of the resources served by the science DMZ, a different approach should be taken regarding necessary resources, visibility as well as perimeter and host security. Based on proven and existing production techniques and deployment strategies, we provide an operational map and high level functional framework for securing a science DMZ utilizing a “defense in depth” strategy including log aggregation, effective IDS filtering and management techniques, black hole routing, flow data and traffic baselining.
11:30 a.m. Bro Team
- Building Bro’s VM and accessing training materials
12:00 p.m. Lunch
1:00 p.m. Bro Team
2:00 p.m. Bob Rotsted - Reservoir Labs, Inc. (Video)
Value of Context When Detecting Adversaries
In the talk, we discuss the value of contextual information in detecting advanced adversaries. We explore ways that data extracted and analyzed by Bro can be used to enhance an analyst’s understanding of a network event and how it can be used to more accurately automate network security workflow with Bro.
2:45 p.m. Break
3:15 p.m. Bro Team
4:15 p.m. Johanna Amann - ICSI
SSL in Bro 2.3 (Slides)
This talk presents the new features of the Bro 2.3 SSL analyzer including the necessary technical background of the SSL protocol. We will also explain the recent Heartbleed exploit and give a thorough review of how its detection works in Bro.
6:00 p.m. Dinner at NCSA
- Sponsored by our corporate sponsors.
Bonus Material
Justin Azoff - NCSA
Justin’s Bro Development Lab (Video)
Justin Azoff’s impromptu presentation on the interesting projects he’s been working on as a Bro developer and security engineer.
Seth Hall - ICSI/LBNL/Broala
Bro v2.3 Release (Video)
Seth Hall’s impromptu presentation on the main features and latest release of Bro: v2.3.
Tuesday, August 19
8:00 a.m. Breakfast
9:00 a.m. Bro Team
10:00 a.m. Break
10:30 a.m. Michael Pananen - Vigilant Technology Solutions
Automating Bro’s Installation Using Puppet (Slides) (Video)
This talk isn’t going to explain why Bro is awesome, or why you should use it. This talk is going to be about automation. Bro’s problem isn’t finding bad guys. Its problem is that it doesn’t install itself on your hardware automatically. I completely automated Bro’s installation, upgrade and configuration, using Puppet on 450 sensors around the world. It wasn’t easy at first, but in the end, Puppet turned my Bro sensor grid into a well oiled machine.
11:15 a.m. Kurt Grutzmacher - Cisco Security Solutions
Cisco OpenSOC Hadoop Design with Bro (Slides) (Video)
At Cisco we have developed a “Hadoop 2.0” system, OpenSOC, to support the ingestion of at least 1.2 million packets per second off the wire for logging and enrichment processing (threat intelligence, geolocation, and analytics). This presentation will discuss the technologies being used and how we have adapted Bro to deliver packet metadata lowering barrier for a larger solution to break the known limits of ElasticSearch/Logstash/Kibana systems.
OpenSOC will be publicly available around the summertime of 2014.
12:00 p.m. Lunch
1:00 p.m. Aashish Sharma - LBNL
Bro: Actively defending so you can do other stuff (Slides) (Video)
In this talk I will detail various active-defense strategies LBNL is employing to identify and to block malicious IP addresses. We focus on scan-detection, drop.bro and catch-n-release policy along with ‘deep-blocks’ and the use of intelligence and input-framework for active blocking. We further showcase checks and balances used to weed out false positives. The goal of this talk is to provide audience with detailed insights into deployment of dynamic firewalling capabilities of Bro while keeping the network open and functional.
1:45 p.m. Bro Team
Training: SSL Analyzer (PDF)
In this training session, we will give an overview on how to use the SSL analyzer in Bro for different tasks. We will, for example, use it to find local servers that use weak keys, verify the validity of certificates, enforce certificate pinning and find errors in certificate chains sent by servers.
2:45 p.m. Break
3:15 p.m. Matthias Vallentin - ICSI
VAST Presentation (Slides) (Video)
Visibility Across Space and Time (VAST) is a platform for large-scale network forensics, especially suitable for interactive incident response. It offers a rich-typed query language to facilitate finding needles in haystacks. VAST has first-class support for Bro: it imports logs natively and can also generate query results as Bro logs in addition to JSON. The current prototype can search hundreds of millions of events with interactive response times on a single machine. This talk first sketches the architecture briefly and then gives a demonstration how to use the system.
3:45 p.m. Robin Sommer - ICSI/LBNL/Broala
BinPAC++ Demo (Slides) (Video)
We’ll present a demo of a next-generation parser generator, BinPAC++,that we are working on for use by Bro, as well as by other tools. The system will make it much easier to add support for new protocols and file formats, without requiring in-depth knowledge of Bro’s internals. BinPAC++ provides a extensive grammar language for expressing syntax and semantics, which it then it compiles down into efficient parsing code just-in-time. While BinPAC++ is still an ongoing research effort, our implementation provides most of the targeted features at this time, and we’re planing to start using it experimentally over the coming months for collecting initial experiences.
4:30 p.m. Seth Hall - ICSI/LBNL/Broala
Bro Development Outlook (Video)
This talk will cover the future of Bro, both in the long and short run.
Wednesday, August 20
8:00 a.m. Breakfast
9:00 a.m. Bob Bregant - University of Illinois, Office of Privacy and Information Assurance
Bro Tap/Span Networking (Slides) (Video)
Through the use of Arista’s "DANZ" software (really just tap aggregation on one end and then mirroring symmetric hashing and load balancing on the other), you can fix split-routing issues, bring up Bro without having to cut out your other tools (or vice-versa), filter out traffic that you aren’t interested in, and even set up a test cluster that gets some/all of your production data to test on. I’ll show you how the University of Illinois is utilizing this system to keep the security and networking teams happy and how you can do the same without having to shake down your users for their lunch money.
9:45 a.m. Bro Team
10:45 a.m. Break
11:15 a.m. Bro Team
Panel Discussion
The Bro Core Team will take the stage for a panel discussion about the project, where it’s been and where it’s headed.
12:00 p.m. Lunch
1:00 p.m. Blue Waters Team
Blue Waters Tour
Blue Waters is NCSA’s petascale supercomputer and is located at the National Petascale Computing Facility on the University of Illinois Campus. The tour will include a review of the supercomputer and the unique infrastructure required to support the project. Transportation to the site will be provided.
Hotel Information
We have reserved a block of rooms at the Holiday Inn. Call the hotel directly and mention Bro Workshop to receive the discounted rate. Attendees affiliated with government organizations should confirm their government discount before booking their room in case the rate is lower than our negotiated rate.
Holiday Inn - Located about 1.5 miles north of NCSA, a shuttle to and from the conference will be available:
Holiday Inn 1001 Killarney St Urbana, IL 61801 Front desk: 217-328-7900 Rate: $85/night
The Hampton Inn is more expensive than the Holiday Inn, however attendees may find the location more convenient. Government affiliated attendees must show a government issued ID or credit card in order to receive the discount.
Hampton Inn - Located one block north of the NCSA building:
Hampton Inn 1200 W University Ave Urbana, IL 61801 Front desk: 217-337-1100 Government rate: $83/night
Airport Transportation
There are two regional airports near Urbana-Champaign: Willard Airport (CMI) and Central Illinois Regional Airport (BMI) in Bloomington. The Bloomington airport has more flight options but is a 45-minute drive west of Champaign. For those who prefer to drive from Chicago or Indianapolis the drive is approximately two-and-a-half hours from either city. We suggest air travelers fly to CMI and take a taxi to their hotels.
Sponsorship
The Bro Project is located at the International Computer Science Institute (ICSI), a non-profit research institute affiliated with the University of California, Berkeley. ICSI welcomes sponsorship of BroCon ‘14 and beyond. To learn more about supporting Bro or its events, email us at info@bro.org.
