Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

7 Ways to Find Encrypted Network Threats Without Decryption

  • Thursday, May 28, 2020 at 12:00 PM EDT (2020-05-28 16:00:00 UTC)
  • John Gamble, Vincent Stoffer


  • Corelight

You can now attend the webcast using your mobile device!



Threat hunters need evidence to find adversaries. Networks offer a broad and reliable source of evidence, helping hunters make sense of movement across their environment via an immutable record of activity. Traffic, unlike endpoints, cannot lie. But the rise of encryption complicates this picture, especially where decryption is not an optimal or possible solution.

Fortunately, the open-source Zeek Network Security Monitor (formerly Bro) can provide visibility into actionable metadata on encrypted streams for threat hunters without breaking and inspecting payloads. With Zeek, analysts can see the use of self-signed certificates, fingerprint SSH and SSL traffic, identify encryption on non-standard ports, and more. Corelights commercial solutions extend Zeeks capabilities, especially around SSH traffic, giving analysts new insight into activities such as file transfer over SSH.

Register for this technical webcast to hear from Vince Stoffer, a former security engineer and incident responder and current Director of Product Management at Corelight, and John Gamble, Director of Product Marketing at Corelight, to learn about seven different ways to find network threats in your environment whether traffic is encrypted or not.

Speaker Bios

Vincent Stoffer

Vincent Stoffer is the Director of Customer Solutions at Corelight, the company founded by the creators of the Bro Network Security Monitor. As the primary product champion, Vince brings the sales, success, and engineering teams together to deliver world-class security products to Corelight customers. Vince previously held security engineering and network management positions at Lawrence Berkeley National Laboratory where he played a critical operational role in incident response, network traffic analysis, and technical consulting to improve the Lab's cyber protections. Prior to LBNL, Vince was the network security engineer at Reed College. He attended Pitzer College in Claremont, CA, graduated with a BA in Humanities from University of Oregon, and he holds the CISSP, GCIH and GCIA certifications.

John Gamble

John Gamble is Director of Product Marketing at Corelight and has spent more than a decade in the data protection industry representing cybersecurity, privacy and identity verification solutions, including his most recent role as Director of Product Marketing at Lookout, a mobile endpoint security company.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.