The network has a ground-truth property that is hard to replicate with other security data sources. So, for years the network has been a valuable source of insight that enabled effective detection and response. However, the network is becoming increasingly opaque as the definition of the network itself changes with cloud computing and as more of the data on the network is encrypted. This means security teams are losing visibility into this powerful data source, just as attackers use techniques like encryption to evade traditional detection methods. In this talk we will cover one aspect of this challenge: encryption on the wire. With the specific use case of identifying and profiling applications behind the encryption, we will discuss the current state of the art when it comes to encrypted traffic analysis. The talk will highlight some of the shortcomings in current approaches including fingerprint libraries like JA3. We will also dive deep into some strategies that are effective, yet not noisy for the security team. Finally, we will provide guidance on the capabilities your security stack needs in order to shine light into encrypted traffic on the wire.
Recorded: December 5, 2018
Speakers: Troy Kent, Awake Security & Dave Shackleford, SANS
Type: On-Demand Webcast
Troy Kent, Awake Security
When Troy was 5 years old he used to open executable files in notepad and edit them. He thought he was programming. Now he opens them in IDA pro and thinks he’s reverse engineering. His knack for pattern recognition and apparent fear of allowing puzzles to defeat him has led him to his passion of CyberSecurity. He has spent his career in SOCs as multiple Tiers of Analyst and an Investigator; working ticket queues, hunting for security incidents, rapidly prototyping new ideas into existence, working terrible hours and questioning career decisions. At Awake Security he is a Threat Researcher who uses his skills and knowledge to ensure that Awake empowers the analyst as much as possible. He loves what he does and hopes what he does ensures that others do too.
Dave Shackleford, SANS
Dave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.