According to a recent Gartner report1, encrypted web traffic now comprises up to 40 percent of total web traffic for financial institutions. NSS Labs2 estimated 25 percent to 35 percent for a typical enterprise. However, for some businesses, NSS believes it could be as high as 70 percent. Our own research published in the 2015 SonicWall Security Annual Threat Report is in line with these estimates. Based on raw telemetry data gathered via the SonicWall Global Response Intelligence Defense (GRID) Network, SonicWall Security threat researchers found a 109 percent increase in the volume of HTTPS web connections from the beginning of 2014 to the beginning of 2015 with continued growth into 2015. And, by the end of 2014, as shown here, the HTTPS web connections comprised 60 percent of total web connections.
This data clearly supports the massive industry trend that moves towards an all encrypted Internet, not only to make it more difficult for cyber-criminals to eavesdrop on web connections, but also to ensure the privacy of personal information. Many cyber-security experts have been pushing the industry towards the perceived ideal of “HTTPS Everywhere”, in which plain text on the internet is replaced with encryption to achieve these objectives.
However, with the increased use of Secure Sockets Layer (SSL) or the newer Transport Layer Security (TLS) encryption protocol by the good guys, there is a corresponding increase in the use of encryption to hide malware from organizations. Using SSL/TLS, skilled attackers can cipher command and control communications and malicious code to evade intrusion prevention system (IPS) and anti-malware systems. These methods of attacks pose greater risks to any size organization because it is more complex and difficult to detect. After all, a security system cannot stop what it cannot see. Therefore, it is crucial to have a very capable SSL/TLS inspection mechanism that can effectively resist these evasive tactics. The “Gameover” banking Trojan is a good example of how attackers use encryption to conceal their presence while delivering malware to victims through legitimate but compromised websites. With most cloud-delivered web applications such as online banking, e-commerce and social networking websites as well as popular search engines already adopting the HTTPS standard, decrypting and inspecting encrypted web traffic now becomes mandatory for organizations.
The catch here is that legacy network security solutions either don’t have the ability to inspect SSL/TLS encrypted traffic or their performance is so low that when doing the inspection, they are effectively unusable. The key difference in inspecting encrypted versus plain text traffic is the 6 additional compute processes that must occur before any data is sent back and forth between a client’s browser and web server over the HTTPS connection.
- Client initiates SSL/TLS security handshake with server to confirm identities. Client tells the server or in this case security device what ciphers and keys it wants to use.
- Security device intercepts request and establishes session using its own certificates in place of server.
- Security device then initiates its own SSL/TLS handshake with server on behalf of client using admin defined SSL/TLS certificate.
- Server completes handshake and builds a secure tunnel between itself and security tool.
- Security device decrypts and inspect all traffic coming from or going to client for threats and policy violations
- Security device re-encrypts traffic and sends along to client
The two key areas of SSL/TLS that affect inspection performance are establishing a secure connection and decryption and re-encryption for secured data exchange. Each area is very compute intensive which impact overall scanning speed of the security system. According to NSS Labs2, the performance penalty on a security system when SSL inspection is active can be as high as 81 percent.
What does all this really mean to your organization?
Here are my top recommendations for protecting your organization against the ever increasing use of encryption for Internet traffic.
- If you haven’t conducted a security audit for some time, now is a good time to undertake a comprehensive risk analysis to identify your risks and needs.
- Upgrade to a capable, extensible next-generation firewall (NGFW) with integrated IPS and SSL inspection design that can scale support future growth.
- Update your security policies to defend against a broader array of threat vectors and establish numerous security defense methods to respond to attacks whether that traffic is HTTP or HTTPS.
- Implement continuous training for your staff to be aware of the danger of social media, social engineering, suspicious websites and downloads, and various spam and phishing scams.
- Inform users never to accept a self-signed and non-valid certificate.
- Make sure all your software is up to date with all the security update and patches. This will help protect all the machines from older SSL exploits that have already been neutralized.
SonicWalls security recommendations for 2015 revolve around eight key findings documented in the 2015 SonicWall Security Annual Threat Report. Download a copy now to learn more and get practical advice on how to protect your organization from the emerging threats identified in the report.
1Security Leaders Must Address Threats From Rising SSL Traffic, Gartner, December 2013
2SSL Performance Problems, NSS Labs Gartner, June 2013