Alternative Network Visibility Strategies for an Encrypted World

  • Thursday, 21 Mar 2019 3:30PM EDT (21 Mar 2019 19:30 UTC)
  • Speakers: Matt Bromiley, Gregory Bell

Security analysts rely on network data for ground truth in incident response and threat hunting, but the prevalence of encryption has made visibility challenging. According to recent industry reports, 72% of network traffic is now encrypted and 89% of all web pages loaded in the United States use HTTPS.

Decryption is the obvious counter strategy, but not always the optimal one as it can degrade network performance, violate privacy and become an operational burden when it requires managing host agents, certificates and other related dependencies. And in some cases decryption is not technologically possible.

Fortunately, the open-source Zeek Network Security Monitor (formerly 'Bro ') provides powerful visibility around encrypted streams and can generate a wealth of security insights without breaking and inspecting payloads. Zeek can reliably detect commonly-used encryption protocols wherever they occur, comprehensively parse its cryptographic characteristics, and illuminate unencrypted traffic related to an encrypted connection. Security analysts can use these insights to identify anomalies (e.g. rare and self-signed certs), detect suspicious activity (e.g. SSL/TLS running on non-standard ports), and uniquely fingerprint encrypted connections for whitelisting and blacklisting.

Register for this technical webcast to hear from Greg Bell, CEO of Corelight, and SANS Instructor Matt Bromiley about their front-line experience using Zeek to drive encrypted traffic insights and defend organizations and learn how you can apply their insights in your environment.