Christian Kreibich
Christian is the technical lead of the Zeek project, and an engineer at Corelight. He previously spent 5 years heading the networking group at Lastline, and prior to that spent 5 years as a research scientist at the International Computer Science Institute in Berkeley. He has served on the advisory board of the Open Information Security Foundation, and holds a PhD from the University of Cambridge's Systems Research Group. He still rides skateboards, which recently earned him a busted rotator cuff.
Session
The Zeek network monitor offers a range of mechanisms to interact with it while up and running. Examples include its ability to asynchronously ingest intel data, exchange Zeek events with custom-built services, call out to web APIs via Javascript, load and save runtime state, and produce operational telemetry. These features provide powerful means to integrate Zeek into an organization's cybersecurity infrastructure, taking it far beyond a mere
producer of network logs.
In this talk I will walk through these features, outline their relative pros and cons, and give examples of real-world applications they enable, including machine learning models, threat intel platforms like MISP, and "round-tripping" of network inventory data. This talk is ideal for users who have gained initial experience with running Zeek, and are looking to get more out of their deployment. Even if you've never used Zeek before, you'll gain a better understanding of what it can provide for your network detection & response infrastructure.