WEBVTT 00:00:02.327 --> 00:00:02.494 Okay, 00:00:02.494 --> 00:00:06.327 so we just went through and checked out some default scripts that Zeek uses, 00:00:06.327 --> 00:00:10.327 and also showed you how to utilize that signature framework. 00:00:10.327 --> 00:00:14.327 That was a really informative demo, wasn't it? 00:00:14.327 --> 00:00:15.327 But my question for you is, 00:00:15.327 --> 00:00:19.216 how do you know if you should use all of those defaults and what 00:00:19.216 --> 00:00:22.327 other scripts and signatures you should use? 00:00:22.327 --> 00:00:26.327 Well, let's talk about that for a few minutes. 00:00:26.327 --> 00:00:29.327 One thing I always tell customers is that you have to know, 00:00:29.327 --> 00:00:34.327 at least a little bit, what you want to look for when looking for it. 00:00:34.327 --> 00:00:37.418 Are you looking for a network monitoring solution to look at 00:00:37.418 --> 00:00:40.327 statistics or are you trying to detect threats? 00:00:40.327 --> 00:00:41.327 Or is it both? 00:00:41.327 --> 00:00:46.327 The Globomantics requirement is to use this as a network monitoring solution, 00:00:46.327 --> 00:00:49.327 not specifically a network security solution. 00:00:49.327 --> 00:00:51.927 So it's safe to assume that we'll want things like 00:00:51.927 --> 00:00:54.327 the capstats component running, 00:00:54.327 --> 00:00:56.327 as well as protection against any misconfigurations 00:00:56.327 --> 00:00:59.327 in the network and anomalies. 00:00:59.327 --> 00:01:03.452 Now this kind of straddles the line between network monitoring and security, 00:01:03.452 --> 00:01:05.327 but that's okay. 00:01:05.327 --> 00:01:09.327 In today's world, they sort of go hand in hand. 00:01:09.327 --> 00:01:11.327 Misconfigurations can lead to compromises, 00:01:11.327 --> 00:01:17.327 and compromises can lead to weird traffic in your network. 00:01:17.327 --> 00:01:20.327 So what do you want to see with this tool? 00:01:20.327 --> 00:01:22.627 This is a long discussion to be had as you're going through and 00:01:22.627 --> 00:01:25.327 looking at the default scripts that Zeek comes with. 00:01:25.327 --> 00:01:26.927 At the very least, 00:01:26.927 --> 00:01:30.577 we would want those default scripts to be turned on and 00:01:30.577 --> 00:01:33.873 functioning at first so we can be sure we're monitoring most of 00:01:33.873 --> 00:01:36.327 the things that we can't even think of yet. 00:01:36.327 --> 00:01:41.327 When having this discussion with your team or thinking out loud to yourself, 00:01:41.327 --> 00:01:44.327 the conversation has to answer a few questions. 00:01:44.327 --> 00:01:46.237 Besides what do you want to see, 00:01:46.237 --> 00:01:50.327 we have to ask what's my network supposed to be doing? 00:01:50.327 --> 00:01:54.327 What's the normal protocol behavior look like? 00:01:54.327 --> 00:01:57.327 Should we be transferring files between hosts? 00:01:57.327 --> 00:01:59.327 What about interface utilization? 00:01:59.327 --> 00:02:01.327 Link saturation? 00:02:01.327 --> 00:02:04.127 Should we be worried about weird activity or just look for 00:02:04.127 --> 00:02:07.327 events that relate to network functionality? 00:02:07.327 --> 00:02:11.042 All of these need to be asked so that you can write either 00:02:11.042 --> 00:02:14.327 scripts or signatures to look for to find that information 00:02:14.327 --> 00:02:17.327 and use Zeek effectively. 00:02:17.327 --> 00:02:21.327 Tuning is a word that some people despise. 00:02:21.327 --> 00:02:24.327 It's something that we need to do though, 00:02:24.327 --> 00:02:29.327 typically on a recurring basis for almost all security and analysis tools. 00:02:29.327 --> 00:02:36.327 Our IDSs need to be tuned, our IPSs need to be tuned, firewalls too. 00:02:36.327 --> 00:02:39.327 With Zeek, this is especially crucial. 00:02:39.327 --> 00:02:43.327 Think about the use cases you have in your environment. 00:02:43.327 --> 00:02:48.327 Are you actually detecting the anomalies or is Zeek just ignoring them? 00:02:48.327 --> 00:02:48.550 Or, 00:02:48.550 --> 00:02:52.827 is Zeek doing too good of a job and generating false positives for 00:02:52.827 --> 00:02:56.327 events because some things are just to generic? 00:02:56.327 --> 00:02:59.327 As you test the functionality of Zeek after deciding your use 00:02:59.327 --> 00:03:01.327 cases and writing scripts and signatures, 00:03:01.327 --> 00:03:04.327 you need to tune the system. 00:03:04.327 --> 00:03:08.327 This can encompass turning unnecessary scripts off, 00:03:08.327 --> 00:03:12.327 adding new ones, or modifying existing ones. 00:03:12.327 --> 00:03:15.027 We want your environment to find what you're looking 00:03:15.027 --> 00:03:22.327 for and do so in an efficient manner.