It's not easy to detect malicious patterns within encrypted network traffic. JA3, a method of fingerprinting Secure Sockets Layer (SSL) traffic developed by SalesForce, aims to address this by profiling client (JA3) and server (JA3s) SSL connections. Since these fingerprints are unique and persistent, they provide a way to discover applications, fingerprint Operating Systems, and even discover malware. This presentation showcases how to use Splunk to streamline JA3 event data gathered from Bro/Zeek, use that in combination with host-level visibility provided by Carbon Black, and ultimately correlate network signatures with endpoint telemetry. You will learn how to use this method to get a better understanding of what processes are causing benign or malicious SSL connections on your network and how to hunt for unknown threats.

Speaker(s)
Mike Sconzo, Staff Threat Intel Engineer, Box
Jayson Weiss, Security Engineer III, Box

Slides PDF link - https://conf.splunk.com/files/2019/slides/SEC2056.pdf?podcast=1577146215

Product: Splunk Enterprise

Track: Security, Compliance and Fraud

Level: Advanced