The network is the ultimate 'ground truth ' of evidence for incident responders, but common data sources like NetFlow and DNS server logs are difficult to correlate and don't provide enough detail to quickly answer the critical who/what/where/how questions of incident response.
A better source of network data exists, however, in one of the industry's best-kept secrets: the open-source Bro network security monitor. Bro turns network traffic into high-fidelity data streams that summarize and organize network events by protocol, using a data format designed specifically for incident response that supports easy, fast search in SIEM solutions like Splunk.
Register for this webcast to hear from Vincent Stoffer, Director of Customer Solutions at Corelight, and Ken Hanson, founder of Secure Tech Results, to learn how the power of Bro fundamentally changed their incident response workflows. This webcast will show you how to use Bro logs in Splunk to answer critical IR questions and resolve security incidents and alerts in minutes, not hours or days.