You Can't Stop What You Can't See

You Can’t Stop What You Can’t See

By: Darin Barton CISSP, CISA

By 2017 it is expected that 50-70% of all Internet based traffic will be encrypted. If that is the case then we need a serious paradigm shift in our perception of IT security – this is The Encrypted Traffic Dilemma.

It was early in 2015 when I recognized the growing void within IT security enveloping the globe. For many years I’ve been acutely aware of the challenges involved with scanning and detecting malicious SSL/TLS encrypted traffic; but it was the growing number of encrypted sites that caught my attention.

As the number of globally encrypted sites escalates so does the focus and creative means in which to target attacks through HTTPS. The interesting thing about encrypted traffic is that both the good guys and the bad guys use it to their advantage. For years, we have felt safer knowing our web traffic was encrypted but essentially we created a massive black hole within our networks and hoped that our end point security functioned at 100%. Now, as more sites and traffic become encrypted we are faced with the greater challenge of maintaining elusive control over a complex attack vector.

Without a doubt, as more companies are focusing their efforts to the Cloud and accepting even more encrypted traffic, it offers a potent opportunity for hackers to apply their craft through a vector that is woefully lacking security and potentially offers direct line-of-site into corporate networks.

So, what can you do to protect yourself? Most Unified Threat Management (UTM) Firewalls already have SSL inspection capability and you may be able to capitalize on that. The best aspect of using an existing firewall is that the device is already inline and there will be little disruption to production traffic by activating the inspection feature. The biggest concern with SSL inspection on pre existing gateways is that, unless you actively scoped your appliance to perform that function (in conjunction with the other UTM capabilities) the firewall will face intensive resource issues and may become a bottleneck. If, by chance, you did scope your firewall for this function then you can feel comfortable in giving it a try; monitoring it closely, and if resource utilization remain stable then you’re good to go. The only other concern to mention is that firewalls typically don’t have the ability to copy & forward the decrypted traffic to other security solutions (Sandbox/IPS/DLP) to conduct further scanning – for this you would require a more advanced solution or architecture.

Typically, SSL inspection solutions should be inline and allow for the normal flow of traffic in bypass mode. The Bluecoat SSL Visibility Appliance is a single inline appliance and has the capability to copy/forward decrypted traffic to a specific destination for additional security scanning. The Bluecoat solution is a favorite among many because of its security policy granularity and ability to finely tune traffic that should be bypassed (such as personal banking transactions).

A10 Networks has designed a different solution where they create, what I call, a “DMZ style” decryption zone. This solution requires two devices where any traffic entering the zone is decrypted, scanned by your security appliances (UTM/IPS/DLP/Sandbox), and then re-encrypted when leaving the zone.

Surprisingly, I am seeing a very low adoption rates to mitigate the gap encrypted traffic presents and I’m not sure why. Perhaps it’s a budgetary situation where organizations have been caught off guard by this dilemma and don’t have additional funding; these solutions aren’t cheap but they are manageable. I believe 2016 will see an increase in adoption as concern (and word) spreads to the ears of IT executives.

Whatever your situation, it is clear that you can no longer delay inspecting SSL traffic within your organization. As each day moves forward, the ROI on your traditional security investments become less; and before you know it, may add little overall value to your secure enterprise. In 2016, work with your security partner to properly leverage your IT investments and reduce the security risk encrypted traffic presents.

:Darin Barton CISSP, CISA is a senior security professional in Toronto Canada, with 20+ years experience in cybersecurity and investigations and currently employed with Access 2 Networks Inc. (A2N).

Testimonials

"Outstanding support... Unmatched technical expertise. Unbiased opinion. The level of service from A2N post-sales is unparalleled in the industry."

Jamil El Ghazal, Manager, Multiview Corporation

"Thank you for always going above and beyond. Your managed cybersecurity services are exceptional and you constantly demonstrate your dedication to customer service."

Brad Waller, IT Manager, Commonwell Mutual Insurance

“Special thanks to you and your team for the quick turnaround. This is why I keep coming back!”

Byron Bricker, IT Manager, Konrad Group

“…we were really impressed with their service and capability. Most importantly, they share their knowledge. I would recommend them to anyone.”

Guy Parisien, Network Administrator, Canada Council for the Arts

“A2N is one of those companies that just knows how to do things right. They were the best partner choice I ever made. Highly recommended!”

Steven Waters, VP IT, Cannex Financial Exchange

“The team at A2N have helped us out time after time from consulting to fixing. They can always be counted on for their support and they deliver amazing results. These guys, simply, are incredible! “

Chris Stapells, IT Manager, RPM Technologies

"As a major health care provider, we needed a key partner in helping us identify and design a comprehensive solution. Our continued working relationship and aftersales support has been exemplary. I would highly recommended A2N"

Christopher Broadbent, IT Department, Ungava Tulattavik Health Center

A2N – IT Matters-Secure IT

BLOG