The Decryption Problem
As organizations continue to move to the cloud, increase their utilization of APIs and adopt evermore complex and sensitive systems – and as they incorporate more mobile third party applications and IoT devices into their networks – they find themselves with increasingly complex multi-cloud architectures. As a result, web and application-based traffic volumes are increasing rapidly, and constitute a growing proportion of total traffic. Much of this traffic includes sensitive data that was traditionally hidden deep in their servers. To accommodate this change, organizations are increasing their reliance on encryption, primarily secure sockets layer (SSL) and transport layer security (TLS), to protect their data in motion and other sensitive information.
80 percent of traffic now encrypted
As a result, the proportion of encrypted traffic has hit a new all-time threshold, with over 80 percent of all network traffic now encrypted. That’s nearly a 20 percent increase in just a single year, up from 58 percent in Q3 of 2017. There are many benefits to this strategy, the most important of which is that it allows data, applications, workflows, and transactions initiated by both employees and consumers to travel wherever business requirements demand. In turn, this enables our global transition to a digital economy.
While in many ways the growth of encryption is a good thing for security, it also creates a backdoor for hackers and threat actors to hide from traditional detection tools. Indeed, Gartner’s “Hype Cycle of technologies 2017” warns “For enterprises that are too slow to adopt web traffic decryption best practices, the main risk is exposing their infrastructure to targeted malware campaigns and data loss. Evolutions of ransomware that leverage encryption for malware delivery and command-and-control communications will have higher financial costs because of longer dwell time before detection. The value of network security controls will decrease because of encrypted web traffic blindness.“
Decryption cannot keep up with the technical challenges
Inspecting encrypted traffic imposes critical performance limitations on nearly all firewall and IPS devices available on the market today. Generally speaking, examining encrypted traffic puts an enormous strain on a security device. Using ciphers to decrypt and inspect SSL/TLS traffic correctly is extremely CPU-intensive.
According to recent test results from NSS Labs, very few security devices can inspect encrypted data without severely impacting network performance. On average, the performance hit for deep packet inspection is 60 percent, connection rates dropped by an average of 92 percent and response time increased by a whopping 672 percent. Even more concerning, not all the products tested were able to support the top 30 cipher suites, meaning that some traffic that appeared to be analyzed wasn’t being processed by some of the security devices at all.
Of course, these types of results render most traditional security devices nearly useless in today’s networks, where encryption has become the norm and performance is always a critical requirement. It’s also why most security vendors don’t publish their SSL/TLS inspection numbers and why salespeople tend to avoid the issue when it comes up with prospects and customers. As a result, much of today’s encrypted traffic is not being analyzed for malicious activity – making it an ideal mechanism for criminals to spread malware or exfiltrate data.
At the same time, enterprises must be made aware – and suitably concerned – if they are not decrypting and inspecting SSL traffic, not just from untrusted sources, but from devices – especially IoT devices – that have been intentionally deployed inside the network.
One of the biggest hacks of recent years is Equifax. The company said that the reason hackers were not detected for 76 days was because a device meant to inspect network traffic had been misconfigured so didn’t check encrypted traffic for signs of malicious activity.
A recent report from Gartner mentions that an organization launching a web traffic decryption project will face many other challenges that will impact speed to adoption:
- Organizational: Decrypting HTTPS creates privacy challenges for monitored employees. Local regulations or enterprise culture might hinder the decryption project or create internal tensions.
- Budgetary: The average cost per user of network security controls will increase dramatically because of the decryption costs, but the overall organizational perception of value might be low.
- Privacy: With privacy laws in countries like Canada and across Europe, organizations are not allowed to decrypt and inspect the traffic.
This is just the beginning
If your organization hasn’t been impacted by this challenge yet, it soon will be. There is no sign that traffic volume is going to slow down, nor that the percentage of network traffic being encrypted and needing specialized inspection is going to taper off. The best approach is to address this challenge before it becomes critical. The last thing you want to do is allow uninspected traffic to flow freely through your network, nor to be the victim of your own denial-of-service outage because your security tools could no longer meet your network’s performance requirements.
A new approach (patent pending) has been developed by barac. By inspecting the metadata – rather than the contents – of encrypted traffic, and combining this with machine learning and behavioral analytics, it is possible to detect signs of attacks and malware or abnormality on encrypted traffic, without the need for decryption. No decryption means this process can be undertaken in real time, with limited impact of network performance. Furthermore, a high degree of accuracy will enable organizations to secure their infrastructures against the growing tide of attacks using encrypted malware.
Read more about barac Encrypted Traffic Visibility