Digital Newsletter
Each week our editor Phil Alsop rounds up the most popular articles, videos and expert opinions. We compile this into a Digital Newsletter and send it straight to your inbox every week.
Digital Magazines
We'll let you know each time a new edition of Digitalisation World is released so that you're always kept up-to-date with the latest and greatest news and press releases.
Video Magazines
The Digitalisation World Video magazine contains the latest Zoom interviews with experts in the industry.
SSL encryption for the good and the bad
The Secure Sockets Layer (SSL) protocol emerged around the time of Internet connectivity as a way to secure browser to server communications. Since then, SSL has become the standard for securing web-based connectivity including email, voice over IP, browsing, banking, eCommerce, business collaboration and many other applications. In fact, NSS Research found that 25 percent to 35 percent of network traffic is encrypted within most organisations today, and this figure will continue to rise.
SSL is easy to implement using the open source toolkit OpenSSL. In fact, as of 2014 two thirds of all web servers connected to the Internet use OpenSSL. Unfortunately, the code has also become a favourite with hackers who are able to hide their activities for communication and data exfiltration inside the encrypted sessions that OpenSSL helps create. These encrypted communications of bad actors are often able to evade security controls for various reasons. For the firewalls, application delivery controllers and other security devices that can decrypt SSL, the cost can be a degradation of performance by as much as 80 percent. Further, a lot of out of band security applications cannot encrypt SSL traffic at all, or require expensive hardware upgrades to support this functionality. And, as the use of SSL expands briskly inside networks, so too does the computational burden of decrypting larger and larger amounts of traffic. The result is that SSL has become both a means of protection and a liability from a security perspective.
Gartner believes that by 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls.
SSL inspection, needed but not easy
To alleviate the critical blind spots created by encrypted traffic flowing through IT infrastructure, organisations need innovative visibility solutions with the capability to decrypt SSL sessions at high performance. Implementing a strategy for security inspection of SSL traffic holds a number of benefits for organisations:
Malware detection – viruses, worms and infected
code can hide in SSL traffic so allowing inspection
of this traffic can reduce risk through detection
Data loss prevention – the theft of valuable
information is often conducted through attachments
to encrypted email. Inspection of this traffic by
secure email gateways and DLP gateways is an
important part of protecting intellectual property
Command and control detection – Zeus and the
Trojan “GameOver” are examples of malware that
use encryption to hide command and control
(C&C) communications with servers out on
the Internet that will eventually serve as
collection points for pilfered data. Through
decryption, new technologies capable of
advanced threat detection can recognise
the patterns of C&C comms and inform
security teams of where compromise has
occurred
Data exfiltration prevention – critical data
like passwords and sensitive personal
information is often obfuscated with SSL.
Decryption and inspection is critical to preventing
that data from leaving the network perimeter
Deciding to deploy security inspection of SSL traffic requires organisations do conduct some broad planning for how to implement it technically, and how they will be communicating this to employees and partners to allay privacy concerns.
Technical considerations
There are two types of SSL traffic, inbound and outbound both of which may be inspected for the presence of malware, C&C and sensitive data.
Inbound communications originate from the
Internet with an employee, consultant or customer,
for example, accessing web based applications that
are hosted on the organisation’s premises, data
centre, campus location or cloud
Outbound communications originate at the
organisation’s network – likely from employees or
visitors on the network who are accessing Internet
based applications like Gmail, DropBox,
Saleforce.com and online banking
The technologies and methods used to intercept inbound and outbound SSL traffic are different. Both traffic types should be inspected, however, as there is security benefit to doing so. Some firms may choose to deploy inspection for one type and then another depending on whether issues of privacy, technical scaling or both require it. In either case, firms should ensure that the method chosen does not impact performance negatively. Also, the technical means to comply with privacy laws and obfuscate portions of the SSL communications that contain personal information should be available.
Privacy considerations
While there is undeniable benefit to inspecting SSL traffic to protect intellectual property and prevent broad network breaches, there are also concerns of employee and citizen privacy to consider in doing so. While these laws vary by country, most have compliance mandates in place similar to PCI, HIPAA, SOX and others, that are meant to ensure that personally identifiable information stays private.
Organisations should take care to deploy SSL decryption solutions that are capable of masking those parts of the decrypted communication that should not be viewed by security personnel, auditors or anyone other than the owner of the information. Firms need to also take great care in communicating the rationale for inspecting encrypted communications are well as the privacy safeguards that are in place.
Summary: Key requirements for
SSL decryption that works
Use of SSL web-based communications for critical business operations will only increase, as will its use by hackers to blend and hide their activities. Looking inside SSL traffic is a critical component of any organisation’s strategy to stem losses and detect threats inside networks. To accomplish this requires some forethought and selecting the right approach.
In a nutshell here are the considerations:
Ensure that you have access to all SSL encrypted
communications on the network
Separate in-bound and out-bound SSL inspection
needs to understand privacy concerns and technical
requirements
Ensure that the SSL traffic to be decrypted can be
easily gathered and distributed to all of the security
applications and devices that need to inspect it
Look for SSL decryption approaches that help
maintain compliance for privacy with capabilities for
packet slicing and masking
Choose those technologies that enable service
chaining after SSL so that the traffic can be
inspected by multiple security devices for different
types of threats
Communicate clearly with employees about the
business needs for SSL decryption and inspection and the care take to protect privacy
Understand that SSL decryption itself is not the security solution but being able to send that traffic in a high performance way to security applications is.
