SSL/TLS encryption is widely used to secure communications to internal and external servers, but can blind security mechanisms by preventing inspection of network traffic, increasing risk.
In fact, Gartner predicts that in 2017 more than half of network attacks targeting enterprises will use encrypted traffic to bypass controls. With attackers preying on the security gaps created by encrypted traffic, I’ll examine the five most common network traffic inspection errors made today:
Lack of attention. Gartner found that defense-in-depth effectiveness gaps are being ignored. For example, most organizations lack formal policies to control and manage encrypted traffic. Fewer than 50% of enterprises with dedicated Secure Web Gateways (SWG) decrypt outbound web traffic. Also, fewer than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.
Inaccuracy. Enterprises inaccurately throw money at all kinds of solutions, from IDS/IPS and DLP to NGFW, malware analysis and more. While these solutions address a variety of issues, they only offer SSL inspection as an add-on feature, if at all, with limited visibility into just web/HTTPS traffic. In this case, multiple appliances must be deployed to support the inspection of processor-intensive SSL traffic, which is costly, ineffective and operationally challenging.
Balking (starting and stopping). Starting and stopping often plagues IT security teams when it comes to encrypted traffic decryption projects. The complex set of laws and regulations on data privacy typically impedes decision making by the Legal, HR or Compliance Teams. Furthermore, the risk of conflict and dissatisfaction with employees (i.e. “Why is IT inspecting my emails?), often derails these encrypted traffic decryption efforts.
Playing with a weak defense. Malware is using SSL to do its damage. For example, according to Gartner, the pervasive Zeus botnet uses SSL/TLS communication to upgrade after the initial email infection. Furthermore, here at Blue Coat Research Labs we’ve seen that the malicious Dyre Trojan often utilizes nefarious command and control (C2C) mechanisms like Update to communicate secretly with its command and control servers.
Letting the environment cloud your game. The rapid adoption of cloud apps and services dramatically expands and complicates the IT environment, accelerates SSL/TLS encrypted traffic use, and expands the risk surface for attacker exploitation. Modern applications such as social media, file storage, search and cloud-based software increasingly use SSL/TLS as their communications foundation. Monitoring and scouring these applications and services for malicious content and activity is highly recommended. At minimum, the expanding use of these applications creates more questions about when to strategically encrypt and decrypt.
Here are four recommendations to eliminate the security blind spots in your network:
1. Take inventory and plan for growth: Assess the SSL encrypted network traffic mix and volume in your organization
2. Evaluate the risk of un-inspected traffic: Share insights and collaborate with your non-IT colleagues in HR, Legal or Compliance, review and refine established policies from a security, privacy and compliance standpoint and then create a joint action plan to resolve any vulnerabilities.
3. Enhance your network security infrastructure with comprehensive encrypted traffic management: Empower existing NGFW, IDS/IPS, anti-virus, DLP, malware analysis (sandbox) and security analytics solutions with the ability to detect all threats – even from formerly encrypted traffic - and process them accordingly.
4. Monitor, refine and enforce: Constantly monitor, refine and enforce the acceptable use policies for encrypted applications and traffic in and out of your network.