The Best Online Cybersecurity Training in the World - SANS OnDemand


To attend this webcast, login to your SANS Account or create your Account.

8 Keys to a Defensible Network Architecture And How Zeek Can Help You Get There

  • Tuesday, November 6th, 2018 at 10:30 AM EST (15:30:00 UTC)
  • Richard Bejtlich, Matt Bromiley, and John Gamble (moderator)
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.


  • Corelight

You can now attend the webcast using your mobile device!


If your network architecture is largely unmapped, unmonitored and unmanned then you have a significant security risk you need to mitigate. Without a comprehensive inventory of your network infrastructure, an ability to make fast sense of the traffic, and established baselines of normal activity, network intrusions will go undiscovered longer or you will outright miss them.

You cant protect your network from the things you dont know about or cant see, which is why ensuring your network architecture meets key design principles such as Inventoried, Monitored, and Measured is critical for strong network defense.

In this webcast, Richard Bejtlich, author of The Tao of Network Security Monitoring: Beyond Intrusion Detection, and SANS Instructor Matt Bromiley, will present eight key design principles for building a defensible network architecture and show you how the Zeek network security monitoring framework can help you get there. Zeek, formerly known as Bro, extracts over 400 fields of data from network traffic across 35+ protocols, providing nearly the context of full packet capture at less than 1% of the file size.

Register for this webcast to learn:

  • Eight critical network architecture principles that will strengthen your defense
  • Practical guidance for implementing these design principles in your environment
  • How Zeek can help you inventory, illuminate, and benchmark your network
  • And more....

Speaker Bios

Richard Bejtlich

Richard Bejtlich is principal security strategist at Corelight. He was previously Chief Security Strategist at FireEye, and Mandiant's Chief Security Officer when FireEye acquired Mandiant in 2013. At General Electric, as Director of Incident Response, he built and led the 40-member GE Computer Incident Response Team (GE-CIRT). Richard began his digital security career as a military intelligence officer in 1997 at the Air Force Computer Emergency Response Team (AFCERT), Air Force Information Warfare Center (AFIWC), and Air Intelligence Agency (AIA). Richard is a graduate of Harvard University and the United States Air Force Academy. His fourth book is 'The Practice of Network Security Monitoring'. He also writes for his blog and twitter.

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.