Thursday, April 12 | 9:15AM–10:15AM ET | Maryland Ballroom E, Fifth Floor
Bro is a great tool for transforming raw network traffic into streams of useful logs for consumption by a security analyst. To get data beyond plain text logging, many organizations have added massive ElasticSearch databases to add better "search" capability. Unfortunately, this didn't give analysts a way to create actual incidents on the information in the databases. In this presentation, we will explain how BC closed the detection loop and automated Bro detection to transform the raw data into true events. We will also discuss the architecture and technology to process and consume this data at speed for a medium-sized Bro deployment.
Outcomes: Be able to plan a reasonably sized ElasticSearch cluster for Bro data * Spot common performance problems with your cluster and get solutions to fix them * Discover the new Watchman tool to better utilize your Bro data
President, The Cooper-Cain Group, Inc.
Principal Information Security Analyst, Boston College