Zeek is Like a Box of LEGO Bricks for Network Security [Q&A with Dr. Ali Hadi]

By day, Dr. Ali Hadi is a professor that teaches cybersecurity courses as Champlain College in Burlington, Vermont. At night, he researches various aspects of cybersecurity. It was his research and conference presentations around network security and the Zeek framework that caught our attention. So, we reached out to him and asked him to participate in our guest Q&A series with thought leaders in cybersecurity – and he graciously agreed.


1) What attracted you to the field of cybersecurity and how did you get started?


AH: Let me answer in reverse order. What got me started was my first unofficial job when the Chernobyl Virus (aka CIH) hit many computers around the world. At that time, I was asked to help a local computer repair shop to do data-recovery for their clients. I saw how a small piece of software was able to do all that damage to computers, which was surprising and amazing to me at the same time. This led to my passion for cybersecurity!


So, I believe it is a passion more than attraction. It’s why I’m driven by the famous Sherlock Holmes quote: “Education never ends, Watson. It is a series of lessons, with the greatest for the last.” I still believe there are so many things that I need to learn.


2) You earned your Ph.D. in network security and have continued to research the area. In your assessment what are the top challenges in network security today?


AH: Yes, everything is lying within those bytes traveling from one device to another. I would say the challenges are divided into three categories:


  1. The sheer volume of data.

Imagine the amount of traffic you would collect from one device if we just captured it for a one-hour session, with a user doing normal activity (browsing the internet, sending emails, texting, etc.). Now, how much data would we be dealing with if collected it [from all users] on an enterprise, corporate, or government network? What if we look at the amount of data traveling through an ISP? It’s huge!


  1. Diversity of protocols being used.If we go back to when the internet started and ask ourselves “how many protocols were used at that time?”, we might be surprised that they were not so many. I do not have a number, but I’m definitely sure they are far less than what we have today. There are so many different protocols out there and who knows how they are being used.Also, think of the organizations that are developing their own custom protocols to satisfy their own needs. Your system will be dealing with this type of network traffic – and it really needs to know a lot in order to help you with answers.


  1. Encrypted traffic.


This [lack of visibility] is a challenge that exists everywhere, not just on the network layer, but even on computers or any other devices where encrypted data might be stored or used for transmission.


3) What recommendations do you have to network security teams for overcoming those challenges?


AH: There is no silver bullet, but I can say the best way to reduce the threat window, is to understand your environment as much as possible.


The problem is that it is more easily said than actually done. I do not mean just counting systems and what they are used for, the number of users, or the policies and controls applied – nor about information which could be found through inventories, monitoring devices and other systems – but about truly understanding what all of those things are doing on your network.


A simple example would be to find answers to questions such as: Based on your policy, why is userX on hostX with a connection to hostY using protocolX at timeX for durationX? More to that (not necessarily in this order):

  • Does our policy permit the activity between hostX and hostY?
  • Does our policy permit userX to access hostY?
  • Does our policy permit such a protocol between these two hosts?
  • Does our policy permit the time of communication?
  • Does our policy permit such a connection for that period or time?


We need to figure out if this type of activity is normal or abnormal. This is just one simple example within a complicated answer.


4) We’ve noticed you are fairly active in the Zeek community. For those network security professionals that aren’t familiar with Zeek, how would you describe what Zeek is and how it can benefit their organization?


AH: I would say, Zeek is like a box of LEGO® bricks, it comes with a manual to assemble the pieces into a specific object and then play with it. But the creators did not limit you to that object. It is up to the player to change what the final object looks like. There are so many options for which you can use those LEGO bricks – it is not limited to the manual that comes with it.


That manual is only to give you an idea of the things you can create, so imagination is your only limitation. You could use it in so many ways and create so many objects out of it. Therefore, “use the manual and you’ll get what comes out-of-the-box, use your imagination and the options become limitless!”.


Just to give an idea and share some examples. I’ve used Zeek like others for network security monitoring, network forensics, and research. But I’ve also used Zeek to build different systems where Zeek was a major component in those systems.


There are two examples that I can share: One was to use Zeek for part of a data leakage detection system, where Zeek was responsible for filtering, logging and extracting documents traveling outside the network. After that, those documents are sent to a system where the contents of the file would be examined and then flagged, based on whether there is data being leaked or not. The other example was using Zeek to build different statistics on all the domains and websites being visited on a client’s network.


You might be able to purchase similar tools that could help do both of these tasks, but they will cost you. In addition, those solutions might not be tailored to your current and future needs.


With Zeek, you can update those systems easily if, for example, we need to check different types of files as opposed to just documents. You can even do statistics on other types of communications not just domains and web-related traffic.


5) There’s a lot of chatter in the security community about the scarcity of talent. As a professor training the next generation of security professionals, what is your perspective on the issue? Is it real? If so, what can organizations do to attract (or develop) talent?


AH: Unfortunately, with the number of “things” using networks nowadays and the increasing number of cyberattacks, there is definitely a need for more talent.


Organizations should do two things:


  1. Support communities and schools teaching cybersecurity skills both financially and collaboratively. This will help enhance their programs and do more research, which all falls back to organizations getting better talent.
  2. Provide internships for students and entry-level jobs for graduates to learn in a true environment. Stop asking for “N-years” of experience; where will they gain that if you close your door and others do the same? They could be more beneficial to your organization if you got to see their mistakes and then trained them to overcome such mistakes.


6) Do you have any advice for aspiring cybersecurity professionals as they pursue their careers?


AH: Don’t be afraid of asking questions, doing experiments, failing, or not doing things correct the first time. Everyone out there that you believe is an expert, went through this cycle. No one came out of the box an expert and finally, no one knows everything.


7) Lightning round with fun questions! Please answer in just a word or phrase:

  • One security publication you read and recommend is…(AH) Reflections on Trusting Trust by Ken Thompson.
  • One security expert, you recommend following is…(AH) Adam: @Hexacorn
  • If a CISO just received 10% more budget, you would advise him or her to spend it on…(AH)
  • If you weren’t working in cybersecurity, you’d be…(AH) It’s funny, but to be honest, I would be a martial artist.


* * *

Thank you, Dr. Hadi, for entertaining this interview. Readers can find more from him, including research and publications, on his website. He’s also active on LinkedIn and Twitter.

If you enjoyed this post, you might also like:

Zeek IDS [formerly known as Bro] is One of the Most Powerful Cybersecurity Tools You’ve Never Heard Of

*** This is a Security Bloggers Network syndicated blog from Bricata authored by Bricata. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)