Threat hunters need evidence to find adversaries. Networks offer a broad and reliable source of evidence, helping hunters make sense of movement across their environment via an immutable record of activity. Traffic, unlike endpoints, cannot lie. But the rise of encryption complicates this picture, especially where decryption is not an optimal or possible solution.
Fortunately, the open-source Zeek Network Security Monitor (formerly Bro) can provide visibility into actionable metadata on encrypted streams for threat hunters without breaking and inspecting payloads. With Zeek, analysts can see the use of self-signed certificates, fingerprint SSH and SSL traffic, identify encryption on non-standard ports, and more. Corelight's commercial solutions extend Zeek's capabilities, especially around SSH traffic, giving analysts new insight into activities such as file transfer over SSH.
Register for this technical webcast to hear from Vince Stoffer, a former security engineer and incident responder and current Director of Product Management at Corelight, and John Gamble, Director of Product Marketing at Corelight, to learn about seven different ways to find network threats in your environment whether traffic is encrypted or not.