Threat hunters need evidence to find adversaries. Networks offer a broad and reliable source of evidence, helping hunters make sense of movement across their environment via an immutable record of activity. Traffic, unlike endpoints, cannot lie. But the rise of encryption complicates this picture, especially where decryption isn't an optimal or possible solution.
Fortunately, the open-source Zeek Network Security Monitor (formerly Bro) can provide visibility into actionable metadata on encrypted streams for threat hunters without breaking and inspecting payloads. With Zeek, analysts can see the use of self-signed certificates, fingerprint SSH and SSL traffic, identify encryption on non-standard ports, and more. And Corelight's commercial solutions extend Zeek's capabilities, especially around SSH traffic, giving analysts new insight into activities such as file transfer or keystrokes over SSH.
Register for this technical webcast to hear from Matt Ellison at Corelight, about his experience using Zeek and Corelight to threat hunt and learn how you can apply their insights in your environment, whether traffic is encrypted, or not.
Watch the recorded webinar
Director of Sales Engineering for EMEA and APAC, Corelight
Matt has specialised in cyber security for over 15 years across endpoint, network and user technologies and has led teams in product management, product marketing and technical sales. With previous roles at Symantec, LogRhythm and BAE Systems, Matt’s extensive experience has allowed him to work with numerous organisations across EMEA and APAC helping them understand how best to address their security challenges.