back caretBlog

The Network Is Going Dark: TLS 1.3 and Security Operations Visibility

This year at RSA Conference, I had the privilege of presenting a technical session on the implications of TLS 1.3 for security operations visibility along with Josh Northrup at Fiserv, an important ExtraHop customer that worked with us to test and refine a highly scalable solution for TLS 1.3 decryption.

The talk was well-received so I wanted to share it with the hope of benefiting a broader audience, especially organizations that are considering their options for handling TLS 1.3. I've outlined the presentation below, but the slides and a video recording are available on the RSA Conference session page: The Network Is Going Dark: Why Decryption Matters for SecOps

  • Introduction
    • The trend is toward total encryption of network traffic both on the Internet and within datacenter, cloud, and campus environments
    • TLS 1.3 is more secure, but creates challenges for out-of-band monitoring by using ephemeral session keys
  • Options for organizations
    • Analysis of encrypted traffic using fingerprinting and other techniques
    • Man-in-the-middle appliances to break and inspect encrypted traffic
    • Session-key forwarding for local services
  • My recommendations
    • For user and BYOD traffic, use the break-and-inspect method
    • For local services that you control, use session-key forwarding at choke points such as application delivery controllers and proxies
  • Fiserv deployment of session-key forwarding
    • Large deployment with 3,500+ servers and 6,000 sessions per second across multiple data centers
    • Not just for HTTPS, but also services such as LDAP
    • Session-key forwarders are built into the automation framework

Related Blogs

Sign Up to Stay Informed