SSL/TLS encrypted network traffic needs to be managed much like an NFL pass rusher. SSL/TLS encryption is widely used to secure communications to internal and external servers, but can blind security mechanisms by preventing inspection of network traffic, increasing risk.
Cybercriminals are like the defensive ends trying to get past your offensive line and do damage to the heart of your organization (sack your quarter back). In fact, Gartner predicts that in 2017 more than half of network attacks targeting enterprises will use encrypted traffic to bypass security controls. Advanced threats use hidden “command and control” channels to execute malicious programs and exfiltrate proprietary data.
It’s obvious that taking your eye off the opponent carries negative consequences. However, the reality is today’s strategies for encrypted traffic management typically fall short. With attackers preying on the growing security gaps created by encrypted traffic, let’s examine the five most common network traffic inspection errors made by today’s security leaders:
Lack of attention. Gartner finds that defense-in-depth effectiveness gaps are being ignored. For example, most organizations lack formal policies to control and manage encrypted traffic. Less than 50 percent of enterprises with dedicated Secure Web Gateways (SWG) decrypt outbound Web traffic. Less than 20 percent of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.
Inaccuracy. Enterprises mistakenly throw money at all kinds of solutions, from IDS/IPS and DLP to NGFW, malware analysis and more. While these solutions address a variety of network security issues, they may only offer SSL inspection as an add-on feature, if at all, with limited visibility into just web/HTTPS traffic. In this case, multiple appliances or significant hardware capacity upgrades must be deployed to support the proper inspection of processor-intensive SSL/TLS traffic, combined with limited and varying product support for SSL/TLS cryptographic standards, which is costly, ineffective, inconsistent and operationally challenging.
Starting and stopping. Starting and stopping often plagues IT security teams when it comes to encrypted traffic decryption projects. The complex set of laws and regulations on data privacy typically impedes decision making by the Legal, HR or Compliance Teams. Furthermore, the risk of conflict and dissatisfaction with employees (i.e. “Why is IT inspecting my emails?), often derails these encrypted traffic decryption efforts. The more time it takes an organization to decide and act, the more time the adversaries – in the case ‘cybercriminals’ – have to explore network vulnerabilities and possibly exfiltrate proprietary data.
Playing with a weak left tackle. Malware is using SSL/TLS to do its damage. For example, according to Gartner, the pervasive Zeus botnet uses SSL/TLS communication to upgrade after the initial email infection. Furthermore, here at Blue Coat Research Labs we’ve seen that the malicious Dyre Trojan often utilizes nefarious command and control (C2C) mechanisms like Upatre to communicate secretly with its command and control servers. So a good offense requires a great defense – as it’s not just about seeing and inspecting what’s coming into your organization’s network, but also what’s going out of it.
Letting the environment cloud your game. The rapid adoption of cloud apps and services dramatically expands and complicates the IT environment, accelerates SSL/TLS encrypted traffic use, and expands the risk surface for attacker exploitation. Modern applications such as social media, file storage, search and cloud-based software increasingly use SSL/TLS as the basis for their communications. Monitoring and scouring these networked applications and services for malicious content and activity is a highly recommended best practice – just ask the US-CERT. At minimum, the expanding use of these applications creates more questions about when to strategically encrypt and decrypt.
Here are four recommendations to eliminate the security blind spots in your network:
Greg is a Director of Product Marketing at Blue Coat (News - Alert) Systems, Inc. leading the marketing efforts for two of the company’s product lines: Encrypted Traffic Management solutions and the X-Series Integrated Security Platform. A creative marketer and evangelist, his responsibilities include driving the promotion, awareness and sale of Blue Coat’s market-leading security solutions, enabling the global sales field and channels to accelerate sales, and driving thought leadership in support of the network security industry.
With over 25 years of experience in the networking industry, Greg has held various strategic marketing, product marketing and product line management roles in several high-technology companies, with an emphasis on network security, network and systems management and data center solutions. Prior to joining Blue Coat in 2013, he held various marketing and management roles at VMware, Cisco (News - Alert), Novell and Nortel Networks Corporation. Greg holds a Bachelors Degree in Applied Physics from Hiram College, Ohio.