Encryption Is Good, but Encryption With Inspection Is Better

In considering encrypted versus unencrypted traffic, I thought about the electromagnetic spectrum. Visible light comprises an infinitesimally small portion of the full electromagnetic spectrum, only 0.00035 percent, yet this is how humans perceive reality. This is how we interpret and interact with the physical world, blissfully ignoring the other 99.00065 percent.

Now apply that metaphor to network security and encrypted versus unencrypted traffic. Security professionals don’t have the luxury of only examining unencrypted traffic and ignoring encrypted traffic. Encryption, both in transit and at rest, is foundational for any security program, but organizations are often comfortable with solely implementing encryption. But encrypted traffic could introduce unnecessary risk to a security organization.

Attackers know encrypted connections are an excellent way to remain undetected while moving laterally, maintaining persistence, or escalating privileges. When that happens, SSL/TLS sessions can become a liability, camouflaging malicious traffic. A recent report from the cybersecurity organization WatchGuard stated that 91.5 percent of malware arrived over encrypted connections in Q2 of 2021.

Encrypted Traffic Inspection | Lightboard Series

Network security tools are often configured to ignore encrypted East-West traffic, even though encrypted traffic comprises the bulk of traffic inside the network. Gigamon’s Annual Review of Corporate North-South and East-West Traffic report states that 65 percent of all internal traffic is encrypted.

Gigamon’s Product and Applied Threat Research teams worked together to create the report, which shines a light on the various encryption technologies organizations are seeing in their networks  — not just North-South, but also East-West. The report also provides insight into encryption adoption trends and the continued use of outdated, insecure encryption protocols like SSL and TLS 1.0.

Organizations need East-West traffic visibility for multiple reasons: compliance with regulations that mandate data protection, accurate performance measurements, and finally, faster detection and remediation of security risks. While regulatory compliance and performance are critical to an organization’s success, we’ll focus on the security risks introduced by the lack of visibility.

Organizations can reduce the risk inherent in encrypted traffic by introducing capabilities like encrypted traffic inspection. This capability provides security tools visibility into encrypted traffic, enabling the discovery of adversary activity even if they are hiding in encrypted traffic.

Before adopting a potential decryption platform, security leaders should research the various decryption options available to them. Different solutions offer varied performance with different ciphers. Some solutions are easier to deploy or scale than others. We recommend you read the U.S. National Security Agency’s “Managing Risk from Transport Layer Security Inspection” security advisory on TLS decryption and thoroughly research available solutions and associated pros and cons.

The solution must also have the ability to distinguish data that needs to be decrypted from data that shouldn’t be decrypted. Lastly, no matter how much a solution is tested in a lab environment, be aware that the production environment is different, and eliminate the possibility of outages with the ability to bypass in the event of a catastrophe.

Next Steps

Download the full report to learn more about the steps you can take to prevent cybercriminals from remaining undetected in encrypted traffic on your network.

CONTINUE THE DISCUSSION

People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today