This is part two of a series on the impact that encryption has on enterprise SecOps teams who rely on visibility and analytics to investigate and remediate threats. Read part one to learn more about the current encryption landscape, including research by Google, Ponemon, Symantec, Cisco, and more.
How Do You Maintain Visibility Into Encrypted Traffic?
The obvious answer here is to decrypt the traffic, but that introduces its own challenges. Decrypting traffic is computationally expensive, may require additional infrastructure, and creates security and privacy concerns. Security teams need the ability to decrypt traffic for analysis without violating privacy regulations or making the data more vulnerable to theft or exploitation.
This is not the same as turning off the encryption in the first place. Targeted decryption of relevant data can be a great tool. Turning off encryption so an analytics vendor doesn't have to work as hard makes the unencrypted data much more vulnerable to theft and abuse.
Man-in-the-Middle Solutions Hurt More Than They Help
One way some security teams have addressed this problem is with a "man-in-the-middle" solution that ingests all traffic flowing through the network, decrypts and analyzes it before re-encrypting to send on to its final destination. This method is expensive, creates management overhead, and can introduce encryption weaknesses, since the device doing the decryption may itself be vulnerable to compromise. MITM solutions can also negatively impact the performance of the network, since they have to conduct their operations on data before it reaches its intended destination.
A 2017 study conducted by researchers from several universities on the security impact of MITM or "middlebox" products concluded the following:
"As a class, interception products drastically reduce connection security. Most concerningly, 62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities."
The combination of added risk and performance overhead make MITM decryption solutions an unacceptable compromise for most enterprise security teams.
By decrypting at line rate on an out of band appliance, security teams can avoid negative impact on network performance. Since out-of-band solutions do not terminate and re-initiate connections, they do not introduce latency. Nor do they introduce encryption weaknesses.
The potential downside to out-of-band solutions is that they are unable to block malicious traffic. If an out-of-band decryption solution sees malicious traffic or malware, it cannot take direct action to contain the threat. That means, if you're using an out-of-band solution to decrypt and analyze data, you'll need a separate system to respond to threat signals.
The best out-of-band solutions will have open APIs and other means of integrating with firewalls and endpoint solutions. This is why open platforms and simple integrations are so vital for a successful security architecture. No single tool can handle every aspect of security, so the best-of-breed solutions need to be able to work together seamlessly.
More Encryption Challenges
With the recent approval of TLS 1.3 by IETF, perfect forward secrecy (PFS) should be top-of-mind for security teams. PFS uses a session key derived from client and server information for every session, so that if one conversation is compromised, the rest of the conversations on that network are still theoretically secure.
This adds a huge multiplier to the number of encryption keys in effect and increases the difficulty of decrypting traffic for security analytics. Learn more about how TLS 1.3 is affecting the SOC in this recorded webinar:
How to Find the Best Solution to the Challenge of Encrypted Data
Knowing your own needs is the best way to decide whether an individual solution will work for you, but generally getting enough visibility will require decrypting some data. Any vendor should be able to work with you to determine your needs. If a vendor is pressuring you to handle your data in a less secure way than usual just to get monitoring capabilities, they are not the right one to help you figure out your needs.
Ultimately, an out-of-band solution with the capability to decrypt traffic at line rate, even with PFS enabled, seems like an ideal solution, but circumstances vary from team to team. Each team needs to map their own blind spots and understand what they need to shed light into the dark space in their own environment to stay secure while getting the benefits of secure visibility and analysis.
Questions to Ask Any Vendor About Encryption and Decryption
- Does the solution intercept traffic and/or terminate and reinitiate connections?
- Does the solution offer controls for how decrypted data is accessed and used?
- Does the solution reëncrypt the decrypted data? What ciphersuite is used?
- If you are intercepting traffic, what is your strategy for key management?
- If you are intercepting traffic, what is your strategy for cipher management? Many older appliances are weakening encryption because they were configured years ago.
- What analytics are you getting out of your encrypted traffic? Just slim metadata about HTTP or are you getting full analysis? (For the curious, ExtraHop supports SMTP & LDAP & others in addition to HTTP)
- How do you deliver the MITM certificate to all your endpoints? How many hours per week does your helpdesk deal with MITM certificate errors?