Visibility is the first step towards successful security. Detecting threats, monitoring critical assets, and responding to attacks all require the SecOps team to have total visibility into what's happening in the network.
So what happens to SecOps visibility when internal network traffic is encrypted?
In every area where studies have been conducted, the amount of encryption being used is on the rise. A 2018 Ponemon study found that the number of businesses applying encryption across their enterprise has increased steadily since 2005 across all industry sectors, from 15% in 2005 to 43% in 2018. Additionally, the Google Transparency Report says that 91% of traffic to Google in the United States is encrypted, with similarly high percentages of encrypted requests from many other countries worldwide. This is forcing security teams to weigh the security and privacy benefits of encryption against the need for visibility when investigating and responding to active threats.
This creates both a challenge and an opportunity for security products and vendors. The ability to provide visibility by decrypting data, while respecting privacy and security policies, will become a key differentiator.
What Vendors Say When They Can't Do Decryption
Today, many security analytics vendors are taking the wrong approach to "solving" the encryption issue for their customers: they tell the customer that visibility into SSL protocol headers is good enough, so decryption isn't important and they don't need to see the transaction contents.
This does not reflect the needs of the customer, nor the truth about security analytics. Imagine saying "I can detect a terrorist attack in progress by watching how much mail is being sent and only reading the outside of each envelope." That's what conducting analytics on headers and metadata alone attempts to do.
Seeing into the messages inside the envelopes provides much richer information, even forensic evidence upon which to base investigation and response actions. That's why the ability to decrypt data for analytics is so important for SecOps.
Why Encrypt? Why Decrypt?
The same 2018 Ponemon study found that the top three reasons businesses deploy encryption are as follows: 1. To protect their data from specific, identified threats, 2. To protect company intellectual property, 3. To protect customers' personal information.
81% of respondents to the same survey said that they have encryption deployed on internal network communications, indicating a strong preference toward encrypting internal data, even at the cost of making analytics more difficult. This is a Catch 22 for SecOps teams. Encryption helps protect valuable data, but also makes it challenging to investigate threats, and can even provide a screen behind which attackers can hide. To paraphrase a recent conversation with the head of the security operations center at one of the biggest brands in the world: "For us, and probably every other company out there, SSL/TLS is absolutely crippling."
While SecOps teams in this situation may have access to limited metadata about encrypted traffic, such as source and destination host, the most useful contents of the traffic for security purposes are obscured by encryption. For example, when a new user tries to access a sensitive database, that may look suspicious, but it may not be a real threat. If you are able to decrypt traffic so you can see the contents of the communications between the client and the DB, you can tell if they're just a normal new user, or they're trying to steal sensitive data.
In any situation where internal communications are encrypted, that data is obscured. You may see that the client and DB were communicating, but you can't see what they said. The SecOps team is forced to refer to less timely analytics sources such as logs or DB profilers, or may not have visibility into the needed information at all.
That's the blind spot in the network. With the right decryption solution, you eliminate it.
The 2016 Cisco Annual Cybersecurity Report found that encryption posed a challenge for security teams, stating that "Encryption conceals the indicators of compromise used to identify and track malicious activity." Just two years later, in their 2018 Annual Cybersecurity Report, Cisco found that 70% of the malware binaries they sampled took advantage of encrypted network traffic in some manner. The Symantec 2017 Internet Security Threat Report found a 60% increase in malware that specifically used SSL to encrypt its own communications.
Bad actors can disguise their attempts at lateral movement and data exfiltration in encrypted traffic, making it difficult or impossible to detect. They may encrypt their own traffic or conduct reconnaissance to understand the encryption practices of their target, so they can hide their own malicious activity in traffic being encrypted by the target organization. For companies that are decrypting their data for analytics purposes, any data that remains encrypted offers strong evidence that malicious activity is underway.
For example, SSH (secure shell) tunneling is a widely used practice at many companies that is often exploited by hackers hoping to hide their tracks. SSH tunneling allows employees to connect remotely to their computers for various legitimate reasons, but can also be used to encrypt an attacker's communications, enable lateral movement within the network, and obscure the routes the attacker is using to move data out of a network. Attackers use these tactics to increase the time they can remain undetected in the network, sometimes called "dwell time," giving them more opportunities to succeed in the mission of stealing or destroying valuable data.
Speaking of dwell time: the 2018 Verizon Data Breach Incident Report analyzed over 50,000 security incidents and determined that in 68% of cases, the incident took months to detect. In 2017, Mandiant reported that the average dwell time of a threat in a corporate environment was 99 days.
SecOps teams desperately need to bring that number down, and getting better visibility into encrypted data will help them meet that goal.
In part two of this series, we'll explore several methods SecOps teams can use to retain visibility in the era of encryption, as well as some vital questions to ask any security vendor to understand whether their decryption solution is effective and secure.