(JA)3 Reasons to Rethink Your Encrypted Traffic Analysis Strategies
The network has a ground-truth property that is hard to replicate with other security data sources. So, for years the network has been a valuable source of insight that enabled effective detection and response. However, the network is becoming increasingly opaque as the definition of the network itself changes with cloud computing and as more of the data on the network is encrypted. This means security teams are losing visibility into this powerful data source, just as attackers use techniques like encryption to evade traditional detection methods. In this talk we will cover one aspect of this challenge: encryption on the wire. With the specific use case of identifying and profiling applications behind the encryption, we will discuss the current state of the art when it comes to encrypted traffic analysis. The talk will highlight some of the shortcomings in current approaches including fingerprint libraries like JA3. We will also dive deep into some strategies that are effective, yet not noisy for the security team. Finally, we will provide guidance on the capabilities your security stack needs in order to shine light into encrypted traffic on the wire.
