“Inspect every packet, every time.”
This has been my advice to any network admin or business owner for many years. This is equally important in regards to encrypted traffic. Much of the internet has become encrypted, meaning that it can only be perused and accessed over HTTPS. While this rightly includes traffic such as online banking and financial sites, it also now includes webmail, social media, online streaming video, music and even search engines.
While encryption of the internet enables online privacy, it has also opened a new threat vector for hackers and criminals to hide malicious content. If you encrypt the whole internet, you encrypt all the threats traversing it.
The painful truth is that the vast majority of networks (including governments, international enterprises, educational, medical and consumer networks) have yet to implement a security solution capable of inspecting the encrypted traffic. If you cannot inspect it, you can not protect it. With over 80 percent of internet traffic now encrypted, this has become an open pipeline for attacks. More than 67 percent of all malware attacks are still delivered via email. Guess what? That email is most often encrypted via HTTPS.
Inspecting encrypted traffic is paramount in preventing threats such as viruses, exploits, spyware and ransomware. Numerous articles, findings, testimonials and forensic analyses of recent breaches (such as at the IRS, OPM, JPMorgan Chase, Home Depot, Target and Equifax) focused on threat prevention. They reported that varying degrees of security had not been deployed or utilized, alerts were missed, traffic went uninspected, or updates and patches were not applied. In some breaches, there were financial penalties for failing to protect end-user data, such as providing credit monitoring services for consumers, refunds for past services, or government-levied fines.
However, another critical reason to inspect encrypted traffic was rarely discussed. Yet, in six months, that reason will have incredible legal and financial implications that many are underestimating. That reason is data loss. And while organizations have sought to increase their threat prevention, only minor attention has been applied to data loss prevention (DLP). Well, with General Data Protection Regulation (GDPR), that is about to change drastically.
GDPR tightens requirements for EU data protection
On May 25, 2018, the European Union General Data Protection Regulation (GDPR) goes into effect. While this is an EU regulation, it will play a tremendous role in the ways data protection is controlled worldwide. The following is an excerpt from the GDPR:
“Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. […] violating the core of Privacy by Design concepts[….] It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.”
Pay close attention to that last line, especially if you are a cloud provider or consumer. Any organization that hosts or processes data for citizens of an EU member country will be held accountable to this regulation. Make no mistake, countries outside of the EU, including the US, are in the process of enacting similar legislations.
While threat prevention should always be a cornerstone in any network security architecture, data loss prevention will now be as well. For example, one may have a decent anti-malware client and other solutions for threat prevention, but what is in place to prevent a staff member unwillingly or willingly executing an application that uploads confidential end-user data like credit card numbers, addresses, phone numbers or other personally identifiable information (PII)? What is in place today to stop someone from accidentally or willingly “dragging and dropping” a PDF containing PII to a public FTP Server, or uploading it to their personal webmail? Remember, all of these connections are now encrypted.
Fortunately, you can easily apply data loss prevention rules on all SonicWall firewalls to inspect encrypted traffic and prevent data loss. By leveraging incredibly powerful Deep Packet Inspection of SSL/TLS Encrypted Traffic (DPI-SSL), and applying keywords or phrases defined using Regular Express (RegEx), SonicWall firewalls are able to inspect all encrypted communications for PII in real time. Should an application, system or employee attempt to upload PII, the SonicWall firewall can detect it, block the upload, and provide incident reporting of the event. That is how you can inspect every packet, every time. And that is how you prevent the breach.
Download our “Best Practices for Stopping Encrypted Threats” to help you prevent that breach.