Reward Yourself! Get a $400 Amazon Gift Card with Qualifying OnDemand Course Purchase - Register Today!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Alternative Network Visibility Strategies for an Encrypted World

  • Thursday, March 21, 2019 at 3:30 PM EDT (2019-03-21 19:30:00 UTC)
  • Gregory Bell, Matt Bromiley


  • Corelight

You can now attend the webcast using your mobile device!



Security analysts rely on network data for ground truth in incident response and threat hunting, but the prevalence of encryption has made visibility challenging. According to recent industry reports, 72% of network traffic is now encrypted and 89% of all web pages loaded in the United States use HTTPS.

Decryption is the obvious counter strategy, but not always the optimal one as it can degrade network performance, violate privacy and become an operational burden when it requires managing host agents, certificates and other related dependencies. And in some cases decryption is not technologically possible.

Fortunately, the open-source Zeek Network Security Monitor (formerly Bro) provides powerful visibility around encrypted streams and can generate a wealth of security insights without breaking and inspecting payloads. Zeek can reliably detect commonly-used encryption protocols wherever they occur, comprehensively parse its cryptographic characteristics, and illuminate unencrypted traffic related to an encrypted connection. Security analysts can use these insights to identify anomalies (e.g. rare and self-signed certs), detect suspicious activity (e.g. SSL/TLS running on non-standard ports), and uniquely fingerprint encrypted connections for whitelisting and blacklisting.

Register for this technical webcast to hear from Greg Bell, CEO of Corelight, and SANS Instructor Matt Bromiley about their front-line experience using Zeek to drive encrypted traffic insights and defend organizations and learn how you can apply their insights in your environment.

Speaker Bios

Gregory Bell

Gregory Bell is the CEO of Corelight, and previously served leadership roles at Lawrence Berkeley National Laboratory, including as Director of the Scientific Networking Division, Director of the US Department of Energy's high performance mission network ESnet, and Chief Technology Architect in the Office of the CIO. As ESnet Director, Greg oversaw deployment of the world's first 100G network at continental scale, and the world's first 400G production link. Greg also serves on the board of CENIC, the high-performance public network interconnecting 20 million Californians and vital public-serving institutions. Greg has a Ph.D. from UC Berkeley, and an A.B. from Harvard.

Matt Bromiley

Matt Bromiley is a SANS digital forensics and incident response (IR) instructor, teaching FOR508 Advanced Incident Response, Threat Hunting, and Digital Forensics and SANS FOR572 Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response. He is also an IR consultant at a global IR and forensic analysis company, combining experience in digital forensics, log analytics, and incident response and management. His skills include disk, database, memory and network forensics; incident management; threat intelligence and network security monitoring. Matt has worked with organizations of all shapes and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.