The Best Online Cybersecurity Training in the World - SANS OnDemand


To attend this webcast, login to your SANS Account or create your Account.

5 Ways Bro Gives You Better Data for Incident Response and Threat Hunting

  • Wednesday, May 9th, 2018 at 3:30 PM EDT (19:30:00 UTC)
  • Greg Bell, Matt Bromiley, and John Gamble (moderator)
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.


  • Corelight

You can now attend the webcast using your mobile device!


Since most cyber attacks cross the network and hosts themselves can be compromised, threat hunters and incident responders typically rely on network data as a vital source of truth, to reconstruct what really happened (or is happening now) in their environment. 

Unfortunately, common sources of network data such as NetFlow, DNS server logs, and PCAP have limitations. Some are too expensive to store and difficult to search at scale (e.g. PCAP), while others contain minimal information and leave critical questions unanswered (e.g. NetFlow).

Between these two extremes lies a perfect middle ground: the compact, actionable data generated by the open-source network monitoring platform Bro. Bro produces rich and highly-organized logs that summarize events on the wire comprehensively, in a format designed by and for security professionals. Bro provides much of the network context of PCAP, but with NetFlow-like usability.

Register for this technical webcast to hear from Greg Bell, CEO of Corelight, and SANS Instructor Matt Bromiley about their frontline experience with Bro - and to learn about five unique ways that Bro empowers incident responders and threat hunters to get their work done faster and more effectively.

Speaker Bios

Gregory Bell

Gregory Bell is the CEO of Corelight, and previously served leadership roles at Lawrence Berkeley National Laboratory, including as Director of the Scientific Networking Division, Director of the US Department of Energy's high performance mission network ESnet, and Chief Technology Architect in the Office of the CIO. As ESnet Director, Greg oversaw deployment of the world's first 100G network at continental scale, and the world's first 400G production link. Greg also serves on the board of CENIC, the high-performance public network interconnecting 20 million Californians and vital public-serving institutions. Greg has a Ph.D. from UC Berkeley, and an A.B. from Harvard.

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.