Security / Encryption Auditing

How can my security engineering team stay abreast of the SSL traffic within our network?

The Problem

A large enterprise struggled with rapid growth of SSL encryption, especially auditing its SSL usage. The enterprise was not alone. The Global Internet Phenomena Report, published by Sandvine, showed that the percentage of HTTP traffic that was encrypted in North America jumped from 2.29 percent to 3.8 percent in 2014.

The company's incoming SSL traffic represented business that the company was transacting every day. The company had specialized SSL offload hardware that took much of the load off their servers, but this hardware was spread over many different devices. Gathering information about available overhead, health, and how well this hardware was performing was almost impossible. The company had already run out of SSL offload hardware once and had to rush to buy new hardware.

Desired Outcome

  • Discover how many SSL certificates are used in the environment and see the trend over time
  • Understand how much bandwidth and resources each SSL certificate represents
  • Plan hardware purchases for SSL offload equipment based on activity trends
  • Consolidate SSL certificate usage where possible
  • Weed out SSL certificates that are paid for but unused

Gathering information about available overhead, health, and proper functionality was almost impossible. The company had already run out of SSL hardware overhead once, largely thanks to the doubling of SSL traffic, and had to rush to buy new hardware.

The Solution

Using the ExtraHop platform, the security engineers discovered a rich data set for understanding how their organization was using SSL. In one place, they were able to model and view the entire set of SSL behaviors on their network, including current and historical SSL behavior, total SSL throughput, SSL anomalies, and the most-used SSL certificates.

Comparing current and historical SSL behavior, the security engineers found surprising information. Occasionally, incoming SSL usage would suddenly triple for 20-minute increments, regardless of the time of the day or week. This pattern suggested a potential attack. When the team investigated further, they discovered that a partner was running batch jobs at irregular intervals. To prevent this activity from affecting operations, the IT team dedicated a unique server for partners.

In another view, Total Throughput, the security engineers had a complete view of the SSL traffic (response and request) on their network. This up-to-the-minute view helped the IT organization understand exactly when they needed to add SSL offload hardware.

User Impact

With a list of the top certificates in use, the SSL decryption rate, and SSL certificate reuse, the IT organization suddenly had a new way to manage its SSL infrastructure. This real-time visibility enabled the IT organization to move from a reactive to proactive mode of operations, making data-driven decisions regarding capacity planning, security, and certificate reuse.

With the ExtraHop platform, the company was able to determine that their SSL offload hardware was sufficient to carry their SSL needs for several more quarters at the present rate of growth. Using ExtraHop reports to predict the future growth rate, the business leaders and IT organization had several months of lead time to budget the SSL hardware expansion.

Contact us Try our free online demo