infoTECH Feature

February 05, 2016

Tackling the SSL Encrypted Traffic Blindside

By Special Guest
Greg Mayfield, Director of Product Marketing, Blue Coat

SSL/TLS encrypted network traffic needs to be managed much like an NFL pass rusher. SSL/TLS encryption is widely used to secure communications to internal and external servers, but can blind security mechanisms by preventing inspection of network traffic, increasing risk.

Cybercriminals are like the defensive ends trying to get past your offensive line and do damage to the heart of your organization (sack your quarter back). In fact, Gartner predicts that in 2017 more than half of network attacks targeting enterprises will use encrypted traffic to bypass security controls. Advanced threats use hidden “command and control” channels to execute malicious programs and exfiltrate proprietary data.

It’s obvious that taking your eye off the opponent carries negative consequences. However, the reality is today’s strategies for encrypted traffic management typically fall short. With attackers preying on the growing security gaps created by encrypted traffic, let’s examine the five most common network traffic inspection errors made by today’s security leaders:

Lack of attention. Gartner finds that defense-in-depth effectiveness gaps are being ignored. For example, most organizations lack formal policies to control and manage encrypted traffic. Less than 50 percent of enterprises with dedicated Secure Web Gateways (SWG) decrypt outbound Web traffic. Less than 20 percent of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.

Inaccuracy. Enterprises mistakenly throw money at all kinds of solutions, from IDS/IPS and DLP to NGFW, malware analysis and more. While these solutions address a variety of network security issues, they may only offer SSL inspection as an add-on feature, if at all, with limited visibility into just web/HTTPS traffic. In this case, multiple appliances or significant hardware capacity upgrades must be deployed to support the proper inspection of processor-intensive SSL/TLS traffic, combined with limited and varying product support for SSL/TLS cryptographic standards, which is costly, ineffective, inconsistent and operationally challenging.

Starting and stopping.  Starting and stopping often plagues IT security teams when it comes to encrypted traffic decryption projects. The complex set of laws and regulations on data privacy typically impedes decision making by the Legal, HR or Compliance Teams. Furthermore, the risk of conflict and dissatisfaction with employees (i.e. “Why is IT inspecting my emails?), often derails these encrypted traffic decryption efforts. The more time it takes an organization to decide and act, the more time the adversaries – in the case ‘cybercriminals’ – have to explore network vulnerabilities and possibly exfiltrate proprietary data.

Playing with a weak left tackle.  Malware is using SSL/TLS to do its damage. For example, according to Gartner, the pervasive Zeus botnet uses SSL/TLS communication to upgrade after the initial email infection. Furthermore, here at Blue Coat Research Labs we’ve seen that the malicious Dyre Trojan often utilizes nefarious command and control (C2C) mechanisms like Upatre to communicate secretly with its command and control servers. So a good offense requires a great defense – as it’s not just about seeing and inspecting what’s coming into your organization’s network, but also what’s going out of it.

Letting the environment cloud your game.  The rapid adoption of cloud apps and services dramatically expands and complicates the IT environment, accelerates SSL/TLS encrypted traffic use, and expands the risk surface for attacker exploitation. Modern applications such as social media, file storage, search and cloud-based software increasingly use SSL/TLS as the basis for their communications. Monitoring and scouring these networked applications and services for malicious content and activity is a highly recommended best practice – just ask the US-CERT. At minimum, the expanding use of these applications creates more questions about when to strategically encrypt and decrypt.  

Here are four recommendations to eliminate the security blind spots in your network:  

  • Take inventory and plan for growth: Assess the SSL/TLS traffic mix and volume in your organization – especially as you adopt cloud, mobile an web applications and services.
  • Evaluate the risk of un-inspected traffic: Share insights and collaborate with your non-IT colleagues in HR, Legal or Compliance, review and refine established policies from a security, privacy and compliance standpoint and then create a joint action plan to resolve any vulnerabilities. It’s not just an IT security issue.
  • Enhance your network security infrastructure with comprehensive encrypted traffic management: Empower existing NGFW, IDS/IPS, anti-virus, DLP, malware analysis (sandbox) and security analytics solutions with the ability to see and detect all threats – even from formerly encrypted traffic - and process them accordingly.
  • Monitor, refine and enforce: Constantly monitor, refine and enforce the acceptable use policies for encrypted applications and traffic in and out of your network. It’s just a good security practice.

Greg is a Director of Product Marketing at Blue Coat (News - Alert) Systems, Inc. leading the marketing efforts for two of the company’s product lines: Encrypted Traffic Management solutions and the X-Series Integrated Security Platform. A creative marketer and evangelist, his responsibilities include driving the promotion, awareness and sale of Blue Coat’s market-leading security solutions, enabling the global sales field and channels to accelerate sales, and driving thought leadership in support of the network security industry.

With over 25 years of experience in the networking industry, Greg has held various strategic marketing, product marketing and product line management roles in several high-technology companies, with an emphasis on network security, network and systems management and data center solutions. Prior to joining Blue Coat in 2013, he held various marketing and management roles at VMware, Cisco (News - Alert), Novell and Nortel Networks Corporation. Greg holds a Bachelors Degree in Applied Physics from Hiram College, Ohio.




Edited by Kyle Piscioniere
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers