Your organizations information is at risk. Learn how to protect it at SANS Minneapolis - August 12-17.

Webcasts

To attend this webcast, login to your SANS Account or create your Account.

Alternative Network Visibility Strategies for an Encrypted World

  • Thursday, March 21st, 2019 at 3:30 PM EDT (19:30:00 UTC)
  • Gregory Bell and Matt Bromiley
This webcast has been archived. You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast.

Sponsor

  • Corelight

You can now attend the webcast using your mobile device!

Overview

Security analysts rely on network data for ground truth in incident response and threat hunting, but the prevalence of encryption has made visibility challenging. According to recent industry reports, 72% of network traffic is now encrypted and 89% of all web pages loaded in the United States use HTTPS.

Decryption is the obvious counter strategy, but not always the optimal one as it can degrade network performance, violate privacy and become an operational burden when it requires managing host agents, certificates and other related dependencies. And in some cases decryption is not technologically possible.

Fortunately, the open-source Zeek Network Security Monitor (formerly Bro) provides powerful visibility around encrypted streams and can generate a wealth of security insights without breaking and inspecting payloads. Zeek can reliably detect commonly-used encryption protocols wherever they occur, comprehensively parse its cryptographic characteristics, and illuminate unencrypted traffic related to an encrypted connection. Security analysts can use these insights to identify anomalies (e.g. rare and self-signed certs), detect suspicious activity (e.g. SSL/TLS running on non-standard ports), and uniquely fingerprint encrypted connections for whitelisting and blacklisting.

Register for this technical webcast to hear from Greg Bell, CEO of Corelight, and SANS Instructor Matt Bromiley about their front-line experience using Zeek to drive encrypted traffic insights and defend organizations and learn how you can apply their insights in your environment.

Speaker Bios

Gregory Bell

Gregory Bell is the CEO of Corelight, and previously served leadership roles at Lawrence Berkeley National Laboratory, including as Director of the Scientific Networking Division, Director of the US Department of Energy's high performance mission network ESnet, and Chief Technology Architect in the Office of the CIO. As ESnet Director, Greg oversaw deployment of the world's first 100G network at continental scale, and the world's first 400G production link. Greg also serves on the board of CENIC, the high-performance public network interconnecting 20 million Californians and vital public-serving institutions. Greg has a Ph.D. from UC Berkeley, and an A.B. from Harvard.


Matt Bromiley

Matt Bromiley is a SANS Certified Digital Forensics and Incident Response instructor, teaching Advanced Digital Forensics, Incident Response, and Threat Hunting (FOR508) and Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response (FOR572), and a GIAC Advisory Board member. He is also a principal incident response consultant at a major incident response and forensic analysis company, combining experience in digital forensics, incident response/triage and log analytics. His skills include disk, database, memory and network forensics, as well as network security monitoring. Matt has worked with clients of all types and sizes, from multinational conglomerates to small, regional shops. He is passionate about learning, teaching and working on open source tools.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.