Lurking Inside Your SSL
Encryption is an incredibly powerful tool in the cyber-security arsenal, providing a strong additional layer of security for sensitive data. And recent data from Mozilla, developer of the Firefox browser, suggests that it is becoming more and more widely used globally by organizations and individuals. According to the company, half of all traffic in transit on the Internet is now encrypted, which is a 10% increase compared with December 2015. This has been driven by the growing availability of free Certificate Authorities, and the adoption of SSL by large hosting providers such as CloudFlare and Amazon.
This is an encouraging development, as encryption protects data in transit from interception and snooping by prying eyes. It makes it difficult for would-be cybercriminals to harvest information from, say, the contents of corporate emails. However, there is a darker side to SSL encryption: it can also mask malicious content, such as malware. Research conducted earlier this year found that nearly half of organizations in a range of industry sectors that had suffered a cyberattack, subsequently found that their attackers used SSL encrypted data traffic to conceal malware and smuggle it onto corporate networks.
Shining a light on hidden threats
No question this is a problem for many organizations, as their conventional network security tools cannot inspect SSL-encrypted traffic. This allows malware hidden within that traffic to pass right past their security controls. Each data flow of encrypted traffic adds additional security blind spots; resulting in enterprises being at greater risk of infections and breaches.
The solution is to inspect all SSL-encrypted traffic using the same deep packet inspection techniques you would use for clear network traffic. Accomplishing this requires complete visibility to network traffic from every source: physical, virtual and hybrid cloud environments. You need to see it all, because you can’t defend against threats that you can’t see. Getting full, unobscured access is done using stateful SSL decryption, which provides complete session information on each flow as opposed to just the raw data packets that stateless decryption offers. Stateful decryption exposes anomalies hidden in network traffic, such as intrusion attempts or malware.
In terms of where encrypted traffic should be inspected, and which tools should be used, most next-generation firewalls can perform this function. However, as volumes of encrypted traffic rise, more processing power needs to be used to decrypt the traffic – reducing the firewalls’ performance and making it a potential network bottleneck. Also, by waiting to decrypt in the firewall, any out of band monitoring and compliance tools are left to their own resources to also decrypt the same data. It is inherently inefficient at a network level where lots of security, analytics, and compliance tools are all looking at much of the same data.
The answer to this performance challenge is to integrate a network packet broker (NPB) to offload the extra processing burden from firewalls, security gateways and application monitoring tools. This maximizes the capacity of your security tools, enabling them to better identify and respond to attacks. Using a NPB also boosts overall network performance and availability by balancing the distribution of network traffic loads across your security estate. And not all NPBs are the same. Some handle large data volumes efficiently while some of our Orange Box competitors fail. See for yourself on our Enterprise Solutions page. Efficiency is all about the engine - which in our case is a powerful Security Fabric.
As the use of SSL encrypted traffic continues to grow, it’s critical to ensure that you don’t get blindsided by threats lurking within it. Stateful SSL decryption using a dedicated NPB gives you full visibility of what is really happening in your networks, and ensures there is nowhere that threats can hide from your security weapons.