Tackling The SSL Encrypted Traffic Blindside NFL-Style

SSL/TLS encrypted network traffic needs to be managed much like an NFL pass rusher. SSL/TLS encryption is widely used to secure communications to internal and external servers, but can blind security mechanisms by preventing inspection of network traffic, increasing risk.

Cybercriminals are like the defensive ends trying to get past your offensive line and do damage (sack your quarter back). In fact, Gartner predicts that in 2017 more than half of network attacks targeting enterprises will use encrypted traffic to bypass controls. Advanced threats use hidden “command and control” channels to execute malicious programs and exfiltrate proprietary data.

Falling short

It’s obvious that taking your eye off the opponent carries negative consequences. However, the reality is today’s strategies for encrypted traffic management typically fall short. With attackers preying on the security gaps created by encrypted traffic, let’s examine the five most common network traffic inspection errors made by today’s security leaders:

Lack of attention. Gartner finds that defense-in-depth effectiveness gaps are being ignored. For example, most organisations lack formal policies to control and manage encrypted traffic. Less than 50 percent of enterprises with dedicated Secure Web Gateways (SWG) decrypt outbound Web traffic. Less than 20 percent of organisations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.

Inaccuracy. Enterprises inaccurately throw money at all kinds of solutions, from IDS/IPS and DLP to NGFW, malware analysis and more. While these solutions address a variety of issues, they only offer SSL inspection as an add-on feature, if at all, with limited visibility into just web/HTTPS traffic. In this case, multiple appliances must be deployed to support the inspection of processor-intensive SSL traffic, which is costly, ineffective and operationally challenging.

Starting and stopping. Starting and stopping often plagues IT security teams when it comes to encrypted traffic decryption projects. The complex set of laws and regulations on data privacy typically impedes decision making by the Legal, HR or Compliance Teams. Furthermore, the risk of conflict and dissatisfaction with employees (i.e. “Why is IT inspecting my emails?), often derails these encrypted traffic decryption efforts.

Playing with a weak left tackle. Malware is using SSL to do its damage. For example, according to Gartner, the pervasive Zeus botnet uses SSL/TLS communication to upgrade after the initial email infection. Furthermore, here at Blue Coat Research Labs we’ve seen that the malicious Dyre Trojan often utilises nefarious command and control (C2C) mechanisms like Upatre to communicate secretly with its command and control servers.

Letting the environment cloud your game. The rapid adoption of cloud apps and services dramatically expands and complicates the IT environment, accelerates SSL/TLS encrypted traffic use, and expands the risk surface for attacker exploitation. Modern applications such as social media, file storage, search and cloud-based software increasingly use SSL/TLS as their communications foundation. Monitoring and scouring these applications and services for malicious content and activity is highly recommended. At minimum, the expanding use of these applications creates more questions about when to strategically encrypt and decrypt.

Here are four recommendations to eliminate the security blind spots in your network:

1. Take inventory and plan for growth: Assess the SSL encrypted network traffic mix and volume in your organization.

2. Evaluate the risk of un-inspected traffic: Share insights and collaborate with your non-IT colleagues in HR, Legal or Compliance, review and refine established policies from a security, privacy and compliance standpoint and then create a joint action plan to resolve any vulnerabilities.

3. Enhance your network security infrastructure with comprehensive encrypted traffic management: Empower existing NGFW, IDS/IPS, anti-virus, DLP, malware analysis (sandbox) and security analytics solutions with the ability to detect all threats – even from formerly encrypted traffic – and process them accordingly.

4. Monitor, refine and enforce: Constantly monitor, refine and enforce the acceptable use policies for encrypted applications and traffic in and out of your network.

How much do you know about the world’s biggest technology failures? Try our quiz!