Elevating Zeek

Elevating Zeek

Zeek (formerly known as Bro), the most widely used open source network security logging system, gives organizations and companies insight into their network operations.

Yet, Zeek simply reports the facts. It records detailed metadata about every network flow but leaves it up to analysts to figure out what it all means. BluVector uses Zeek to generate metadata and carve potential threats from network protocols. But it doesn’t stop there.

With BluVector Cortex, organizations gain a powerful solution that goes beyond the facts with additional tools and analytics that give IT security teams context into what, why, when and how threats are operating within their networks.

Powered by that information, security teams are able to stop threats, prevent lateral infections, triage threat events and inform automated response systems.

BluVector’s unique Targeted Logging feature automatically correlates detection events with Zeek metadata occurring before and after the threat detection, so analysts can immediately understand the network context surrounding a threat detection.

The Power of Zeek

Many organizations rely on Zeek because it is a single tool that delivers detailed metadata about all network flows over a wide variety of protocols including HTTP, SMB, FTP, DNS and SNMP, etc. From that metadata, it is also able to perform file carving from protocols that support file transfer.

  • Detailed metadata about all network flows over a wide variety of protocols (HTTP, SMB, FTP, DNS, SNMP, etc.)
  • File carving from protocols that support file transfer
  • Extensible using Zeek’s custom scripting language
  • Zeek’s intelligence framework allows analysts to look for cyber indicators of compromise (IoCs)

The Value of a Managed Zeek Box

  • Zeek is difficult to optimize for performance. Custom installations often struggle with scaling to higher data rates. Managed solutions have solved these challenges.
  • Zeek deployments often consist of multiple sensor installations to establish multiple points of visibility within the network. Central management of Zeek deployments allow security operators to have a consistent set of sensor configurations over many individual sensors
  • 24/7 Customer Support
FeatureOpen-Source ZeekManaged Zeek BoxBluVector Cortex
Zeek MetadataYesYesYes
Support Custom Zeek ScriptsYesYesYes
Intel-Based Threat DetectionYesYesYes
File ExtractionYesYesYes
File-based Threat DetectionNoNoYes
Fileless Threat DetectionNoNoYes
Detailed Threat AnalyticsNoNoYes
Automated Threat Event and Metadata CorrelationNoNoYes
Threat ScoringNoNoYes
Central Threat VisibilityNoNoYes
SoC Analyst WorkflowsNoNoYes
Historic Network AnalysisNoNoYes
Email Threat DetectionNoNoYes
Streaming Metadata ExportNoYesYes
LDAP SupportNoYesYes
Central Appliance ManagementNoYesYes
Commercial 24×7 SupportNoYesYes

BluVector Cortex:
Going Beyond Just a Managed Zeek Box

  • Advanced AI-based detection analytics for file-based and fileless threats
  • Integrated Yara engine for custom file-based detection rules
  • Integrated malicious network behavior detection using Suricata
  • Included dynamic content analysis engine (i.e., sandbox)
  • Support processing of cloud-based email solutions such as Office 365 and Gmail for Business
  • Automated correlation of Zeek metadata with threat detection events
  • Automated correlation with Active Directory data to enhance event context
  • Configurable analyst workflows and threat scoring
  • Easily configured integrations with SIEMs, 3rd-party content analyzers and intelligence providers and message brokers
  • Built-in Zeek log search (does not require an external log repository)