OnDemand & vLive - Get a GIAC Cert Attempt Included or $350 Off thru 10/31


To attend this webcast, login to your SANS Account or create your Account.

5 Ways Bro Gives You Better Data for Incident Response and Threat Hunting

  • Wednesday, May 9th, 2018 at 3:30 PM EDT (19:30:00 UTC)
  • Greg Bell, Matt Bromiley, and John Gamble (moderator)
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.


  • Corelight

You can now attend the webcast using your mobile device!


Since most cyber attacks cross the network and hosts themselves can be compromised, threat hunters and incident responders typically rely on network data as a vital source of truth, to reconstruct what really happened (or is happening now) in their environment. 

Unfortunately, common sources of network data such as NetFlow, DNS server logs, and PCAP have limitations. Some are too expensive to store and difficult to search at scale (e.g. PCAP), while others contain minimal information and leave critical questions unanswered (e.g. NetFlow).

Between these two extremes lies a perfect middle ground: the compact, actionable data generated by the open-source network monitoring platform Bro. Bro produces rich and highly-organized logs that summarize events on the wire comprehensively, in a format designed by and for security professionals. Bro provides much of the network context of PCAP, but with NetFlow-like usability.

Register for this technical webcast to hear from Greg Bell, CEO of Corelight, and SANS Instructor Matt Bromiley about their frontline experience with Bro - and to learn about five unique ways that Bro empowers incident responders and threat hunters to get their work done faster and more effectively.

Speaker Bios

Gregory Bell

Gregory Bell is the CEO of Corelight, and previously served leadership roles at Lawrence Berkeley National Laboratory, including as Director of the Scientific Networking Division, Director of the US Department of Energy's high performance mission network ESnet, and Chief Technology Architect in the Office of the CIO. As ESnet Director, Greg oversaw deployment of the world's first 100G network at continental scale, and the world's first 400G production link. Greg also serves on the board of CENIC, the high-performance public network interconnecting 20 million Californians and vital public-serving institutions. Greg has a Ph.D. from UC Berkeley, and an A.B. from Harvard.

Matt Bromiley

Matt Bromiley is a SANS Certified Digital Forensics and Incident Response instructor, teaching Advanced Digital Forensics, Incident Response, and Threat Hunting (FOR508) and Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response (FOR572), and a GIAC Advisory Board member. He is also a principal incident response consultant at a major incident response and forensic analysis company, combining experience in digital forensics, incident response/triage and log analytics. His skills include disk, database, memory and network forensics, as well as network security monitoring. Matt has worked with clients of all types and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.