Over recent years, significant effort has gone into ensuring high availability and integrity of NSF-funded large-scale computational research cyberinfrastructure. This project targets the improvement of a particular security component that is widely used to protect these NSF investments: the open-source "Bro" intrusion detection framework, which is deployed by major universities, large research labs, supercomputing centers, and open-science communities. Bro's popularity is a two-edged sword, however, as it comes with demands that are often difficult to meet for the small research team behind the system. Therefore, this work establishes a sustainable development model for Bro by providing explicit engineering resources outside of the scope of research efforts, and uses them to advance the system to a state at which Bro's user community can take a more active role in its future development.
More specifically, this project (1) improves the perspective of Bro's end-users by providing extensive up-to-date documentation and support, and refining many of the rough edges that the system has accumulated over time; (2) unifies and modernizes Bro's current code base that has evolved over 14 years of active development; (3) improves Bro's processing performance to the degree required for operation in current and future large-scale scientific environments; and (4) adds new data analysis functionality in the form of a highly interactive graphical user interface and a transparent database interface. By specifically addressing much of the feedback the Bro team has received from users, the project enables a wide range of new sites to use Bro effectively for protecting their cyberinfrastructure.
This project targeted the improvement of a particular security component that is widely used to protect NSF's investments into cyber infrastructure: the open-source "Bro" network security monitor, which is deployed by major universities, large research labs, supercomputing centers, and open-science communities. For a long time, Bro's popularity used to be a two-edged sword, unfortunately, as it came with demands that were difficult to meet for the small research team originally behind the system. This project put the Bro Project on track to establish a sustainable development model by—for the first time—providing explicit engineering resources outside of the scope of research efforts. At the project concludes, we are excited to report that this work has transformed Bro from what primarily used to be still a research project into a routine operational capability that is now protecting some of the largest organizations and networks around the country—inside and outside the NSF community, including Fortune 10 companies and the 2012 Obama Campaign. Since our first Bro release within this project—for which we completely overhauled many of the user-visible parts of the system with a new focus on operational usage—Bro has experienced a tremendous growth across a diverse range of settings. We now typically see about 10,000 direct downloads per version from our main server, which tend to come from a couple thousand unique AS numbers across about 150 countries. These numbers are neither counting downloads from GitHub, nor what's now arguably the most common way for new users to get started with Bro: Security Onion, a Linux-based live DVD environment tailored to security monitoring, which includes Bro as a key component. Over the course of this project, attendance at our annual Bro user meetings grew from originally 30-50 people to 150 attendees from 60 different institutions at the 2014 event. Our Twitter account shows almost 3000 followers, and the main Bro mailing list now reaches close to 1000 people. InfoWorld awarded Bro a 2014 "Bossie Award" in the category "The best open source networking and security software", and they also included Bro into their list of "11 open source security tools catching fire on GitHub". Indeed, Bro is at the top of GitHub's security showcases list. Going forward, the work for this project enabled us to lay the groundwork for sustaining Bro development long-term with two complementing strategies. First, to specifically support the broader NSF community, we created the "Bro Center of Expertise" at ICSI and NCSA as a central point of contact for institutions in education and science. The Center offers our team's expertise to NSF-supported sites seeking advice with Bro deployment and usage; see http://nsf.bro.org for more information. Second, to support the increasing Bro demand within the corporate and government sectors, we founded a professional services company, Broala LLC, that provides ongoing commercial-grade Bro support with the individual attention that large organizations require. For more information about Broala, please see www.broala.com.
