The growing risk of un-inspected encrypted traffic in enterprise networks has been discussed for some time now. Security leaders are beginning to realise the far-reaching implications of network encryption: that it truly affects the effectiveness of the entire security infrastructure.
Below are some examples of challenges plaguing security and network ops teams and how an encrypted traffic management solution (ETM) can solve these:
1. Limited encrypted traffic visibility that enables data loss and exfiltration
Most Data Loss Protection (DLP) devices are blind to SSL traffic, whereas ETM solutions intelligently feed devices like DLP technologies with decrypted SSL traffic allowing them do their job more effectively and expose critical data movement and potential exfiltration. This reduces overall risk while helping maintain data privacy and industry compliance (i.e. HIPAA, PCI, and Sarbanes-Oxley).
2. Incomplete sandboxing that can’t analyse all malicious threats
Now you can manage encrypted traffic by feeding both decrypted and unencrypted traffic to anti-malware or sandboxing solutions for more complete threat analysis, and increase the number of malware detections isolated.
3. Inadequate intrusion protection that won’t stop attacks
IDS/IPS solutions cannot see or stop threats hidden within encrypted traffic, which creates dangerous blind spots. ETM solutions can automatically identify all SSL traffic and, based on your policies, feeds decrypted flows—as well as all non-SSL traffic and SSL traffic that policy determined should be left encrypted—to IDS/IPS solutions so they can better detect and eliminate advanced threats without hindering the device performance. This is especially important due to the rapid rise in nefarious Command and Control (C&C) traffic that utilise SSL and originate from inside an organisation’s network.
4. Weak network forensics that can’t monitor and capture sophisticated attacks
Encryption makes it difficult for security analytics or network forensic tools to monitor and detect network breaches and targeted attacks. With ETM solutions you can now more effectively analyse all network traffic for suspicious network and attacker behaviour. As well as allowing for the prompt response and remediation of compromised network assets and devices.
5. Decentralised SSL decryption that adds complexity and cost
With a comprehensive policy engine, having some form of SSL visibility appliance provides decrypted content of SSL flows to existing security appliances such as content analysis, network forensics and NGFW, so you can easily get the full visibility and control you need to fight SSL-borne threats. This approach doesn’t require any special software or APIs on the security devices in the infrastructure.
6. SSL traffic decryption and inspection that really slows you down
There are some solutions available that ensure the automatic visibility of all SSL traffic without affecting the performance of the network or requiring complex scripting and rule sets. This can increase network security device performance, by taking away the process-intensive burden of SSL inspection. This also preserves and extends the return-on-investment (ROI) of existing security devices in your network, making them more effective in seeing all traffic, applications and potential threats.
7. Adhering to growing data privacy and compliance demands
As data privacy continues to grow as a critical business concern, IT Security teams struggle with how to balance it with maintaining strong network security. Some available ETM selectively decrypt the suspicious and malicious SSL/TLS traffic, while allowing known good traffic can pass through in its encrypted state. This ensures data privacy and compliance and makes everyone happy — especially Legal, Compliance, and HR teams.
Robert Arandjelovic, Director of Security Strategy at Blue Coat