Does Your Network Need a Watchman?
So, you’ve decided to open a bar. You hire the best decorator, purchase the best selection of bottles imaginable, and hire the best bartender you can find. The bar opens to rave reviews, and instantly becomes the hottest spot in town.
Within a month, it’s closed. As it turns out, allowing just anybody in—or out—isn’t sound business practice.
That goes double for cybersecurity. Imagine if your business was content having no visibility into a common source of problems and noncompliance. Unfortunately, this may already be the case, as many businesses still do not make inspecting encrypted traffic a priority.
First of all, let’s explore what encrypted threats are: In simple terms, SSL (Secure Sockets Layer) can create an encrypted tunnel for securing data over an internet connection. TLS (Transport Layer Security) is a newer, more secure version of SSL.
While TLS and SSL provide legitimate security benefits for web sessions and internet connections, cybercriminals are increasingly using these encryption standards to hide malware, ransomware, zero-day and more. Today, an estimated 35% of threats are encrypted — and that number is on the rise (Source: Gartner).
Unfortunately, there’s a fear of complexity and a general lack of awareness around the need to responsibly inspect SSL and TLS traffic — particularly using deep packet inspection (DPI) — for malicious cyberattacks. This attitude is especially dangerous because traditional security controls lack the capability or processing power to detect, inspect and mitigate cyberattacks sent via HTTPS traffic.
In the case of our theoretical bar, hiring a watchman would have made all the difference in continuing to be successful, and having to shut down (or being shut down) due to insufficient or nonexistent control over traffic. Similarly, as the rate of encrypted threats continues to rise, examining encrypted traffic could make the difference between recognizing and blocking a threat, and being forced to pick up the pieces after a successful cyberattack.
Imagine your bar had a dress code. Regardless of whether that dress code mandated fashionable club wear or a jacket and tie, without a watchman or doorperson, there’s nothing to enforce it. Worse, with no one to check coats, you never know who might be wearing a hockey jersey or a crass political T-shirt under their khaki trench coat.
The interplay between content filtering solutions and encrypted traffic is similar. With 80 to 90 percent of traffic now coming over encrypted connections using HTTPS, your content filtering solutions become completely inaccurate (Source: Google Transparency Report). They have a limited efficiency when it comes to identifying the destination webpage and deciding how to deal with potential threats. And without the ability to see what’s going on below the surface, you’re in danger of threats sneaking past.
Similarly, sandboxing solutions are of limited usefulness when it comes to encrypted threats. If a cybercriminal manages to establish an encrypted connection between the threat actor controller and an endpoint, they could transfer files back and forth—including additional malware. In most cases, organizations have a single sandboxing solution which is capable of scanning all files and ensuring they’re non-malicious before allowing them.
But if communication is encrypted, the sandboxing solution is rendered useless because you’re unable to capture the files traveling between a CC and the endpoint. The solution sees encrypted traffic happening between two IPs but have no visibility into what’s going on.
In the example of our watchman, think of him as a seasoned professional. He’s got a mental list of troublemakers 20 years in the making and can spot one a mile away. But without someone at the door to recognize those who become a danger to themselves and others, they can walk right in—and to someone whose job isn’t spotting these sorts of troublemakers, they’re just another patron until it’s too late.
Sometimes it’s not just about what’s going into the bar (or network)—it’s also about what’s leaving. Many security solutions are designed for data loss prevention, but encryption has the ability to hide this entirely. This allows malicious actors (from inside or outside the organization) to steal private or confidential data without anyone noticing, and then once they have enough to blackmail you, they will often deploy ransomware.
Unfortunately, normal gateway appliances without decryption available/turned on have no visibility into this traffic. And the risks extend beyond trojans, ransomware and malware—such data exfiltration could also put you out of compliance with regulations like HIPAA, PCI or GDPR, inviting stiff fines.
Did your bar close because patrons got caught leaving with drinks or employees were witnessed sneaking bottles out in a handbag? That isn’t just illegal for them—it’s illegal for you, too. And sometimes the penalties for lack of compliance, whether that’s local ordinances for pubs or national compliance regulations for large organizations, can threaten or even close businesses.
In both cases, the answer is the same: a fearless and effective defender who’s smart enough to know who to let in and who to keep out—and the muscle to back it up without creating a bottleneck at the door.
To find out more about what you need to do to inspect your organization’s encrypted traffic, click here to register for the latest Mindhunter webinar: “Does Your Network Need a watchman?” on April 20, at 10 a.m. GMT