When encryption becomes a security risk

September 13, 2016 by Marie Hattar

What unites nearly half of all cyberattacks carried out this year? The answer might surprise you.  It involves data encryption.  Research has revealed that nearly half of organizations in financial services, healthcare, and other industries that suffered a cyberattack in the past year, subsequently found that their attackers used the organizations’ own SSL encrypted data traffic to conceal malware.

Encryption is a hugely important tool when it comes to protecting data, and it’s getting more and more widely used. For most datacenters, SSL encrypted traffic is estimated to make up between 15% and 25% of all traffic, and that figure is growing all the time. Mainstream understanding and understanding of encryption is increasing too. In April of this year, for example, the popular WhatsApp messaging app announced that it would be introducing full end-to-end encryption. Encryption hides transmitted data from prying eyes, making it difficult for would-be cybercriminals to intercept and steal information from, say, the contents of corporate email.

However, the flip side of this valuable, additional layer of security for sensitive data is that it also disguises more malicious content, such as malware.  Some conventional network security tools cannot inspect SSL encrypted traffic, enabling malware hidden within that traffic to bypass security controls.

Uncovering threats in encrypted traffic

What is the answer to this catch-22 situation?  As with everything Ixia does, the key underlying principle is visibility – because you cannot secure what you cannot see. Organizations need, in short, to inspect SSL encrypted traffic with the same rigor and robustness that they inspect any other kind of traffic. And they need to inspect for two distinct security risks: tangible threats such as malware, and threat indicators such as signs that a malicious party is scanning the network for vulnerabilities.

This inspection is powered by stateful SSL decryption – a process that delivers complete, unobscured visibility into all network traffic across all environments. Security teams need to be able to see into encrypted traffic from business and web applications, and they need complete session information, so that they can understand the full ‘transaction’ of a particular piece of traffic.

Decryption isn’t in itself out of reach for most organizations. Next-generation firewalls and application monitoring tools are able to decrypt SSL encrypted data, before scanning it with the usual battery of security policies, anti-virus, anti-bot tools and so on. But there is a potential problem, particularly as more and more sophisticated security tools and processes are layered onto such firewalls. The risk is that the firewall becomes a business bottleneck, as the extra computing power needed to decrypt data puts a brake on performance. This is why, as the research found, 45% of respondents said that degradation of network performance was a major factor in their not properly inspecting SSL traffic.

The answer to this performance challenge is to use a dedicated network packet broker to offload the extra processing burden from firewalls, security gateways and application monitoring tools. The network packet broker should be deployed on a carefully-designed monitoring and visibility architecture, to maximize the network’s reliability and availability.

Network architecture is as critical to bolstering overall security posture as the actual security tools and processes in place.  It’s no longer just enough to purchase and install sophisticated security tools – you need to think carefully about where those tools are positioned on your network, and how they work together.

SSL encryption plays a vital role in keeping organizations’ data protected from malicious cybercriminals – and we expect this role to only grow in the coming months and years. But to truly harness its benefits, you need to ensure that it’s not also concealing other threats to your networks and data.