Mark Jow, technical evangelist, EMEA at Gigamon
Network visibility is a fundamental security objective in today’s environment. Gaining oversight into suspicious traffic empowers threat detection, informs overall security posture management efforts, and forms the foundation for a Zero Trust strategy. Mark Jow, Technical Evangelist at Gigamon, outlines the impact of encrypted traffic on this goal and discusses ways to implement effective decryption.
Encryption has long been used for security purposes, can you explain how it also poses a threat?
First, let me outline today’s data centre security challenges. It is no secret that data centres are processing an immense amount of traffic. As business data grows and organisations move into increasingly hybrid cloud environments, monitoring all of this traffic for security risks becomes a real challenge. Malicious actors often hide in networks to exfiltrate sensitive data and maximise their impact, meaning data centre operators now need to have oversight over all East-West traffic for effective threat detection. Despite network visibility being a known security priority, Gigamon research found that less than half (48%) of organisations have insight into data moving laterally across their networks.
At the same time, security leaders have turned to encryption to hide information from prying eyes. Today, encryption makes up over 90% of all internet traffic, and the proportion of encrypted traffic within internal enterprise networks is growing fast. While encryption is a proven way to protect sensitive information, it also contributes to poor network visibility without robust decryption and analysis.
Cybercriminals are becoming increasingly adept at using our security methods against us, and encrypted traffic is a powerful tool in their playbook. The same confidentiality that protects data also hides malware, suspicious activity, and data exfiltration from our security teams. This doesn’t mean encryption is failing, but data centre security needs to step up to the challenge of decrypting traffic for better threat detection and response.
Why is it important to decrypt traffic now?
It might sound like a cliché, but the first step towards preventing encrypted threats is to acknowledge the risk they pose. It is impossible to defend against a threat you cannot see and can’t measure within your own data centres.
Encryption is playing a larger role in attacks, and with great success. Over 90% of malware attacks now use encryption to evade detection, and yet a Gigamon survey found that only 30% of IT and security professionals have visibility into encrypted traffic. Businesses already understand the danger of security blind spots – over half of respondents in the same survey named it their top concern – but until now the practical challenges have been holding security teams back. The result is that these accepted un-analysed threats are contributing to a threat landscape in which almost 1 in 3 successful breaches go undetected.
In recent years, a rise in microservices and the increasing adoption of containerised applications have exacerbated this trend by increasing internal traffic. Machine-to-machine or server-to-server traffic is the perfect means for an attack to proliferate and spread. Not letting lateral movement go unmonitored has become much more important in the last few years.
Why isn’t traditional decryption working? How could it work better?
Unfortunately, traditional decryption is just not a viable solution for many data centre operators. Decryption efforts usually take place at the perimeter, decrypted at the firewall, in an appliance, or using a load balancer. These methods require a lot of configuration, key management, and vast amounts of compute power to break encryption, inspect the contents, and then re-encrypt. When most traffic is encrypted, it adds up.
There are a few tricks to save resources in the decryption process. Businesses investing in decryption can take steps to minimise redundant traffic inspection and identify which network packets should be prioritised. Tactics such as application filtering, in which traffic signature is used to distinguish between high- and low- risk applications, enable teams to apply risk-based decryption across their data centres. However, it’s important to remember that these assessments are not foolproof.
Another similar, low-cost approach lies in deploying data management strategies to reduce the traffic flow across a data centre and achieve the necessary visibility to assess risk. Data centre networks are structured with resiliency and availability in mind, but this approach creates duplicate network packets across a network. In the costly case of decryption, implementing deduplication ensures that each network packet is only analysed once.
These approaches are a good first step to reduce the financial and compute drain of a more robust decryption effort, but the reality is that inspecting all traffic is the only way to stop encrypted threats. To meet this need, today’s fast-growing networks need a more efficient decryption solution that is low cost, low CPU, and simple. Precryption technology is the solution.
Technology is always evolving, and decryption is no different. It is now possible to rethink the challenge of encrypted traffic visibility, and Precryption resolves the issue by going directly to the source.
Without a plausible, affordable decryption method, data centre operators and owners have largely accepted defeat when it comes to encrypted threats – or invest in a very heavy solution that requires large-scale changes to networks and drains energy, space and budget. But inside each network packet lies the key to a new approach. Precryption works by accessing the Linux kernel to get plain text traffic visibility before encryption is ever performed. In doing this, security teams use less compute power to analyse more traffic. By cutting the decryption and re-encryption stages out of the equation, it also allows security tools to detect threats quickly even as traffic continues to increase.
Until now, encrypted threats have been thriving in a perfect storm of low visibility, high traffic, and optimistic risk assessments. Now is the time to face up to this risk and pursue true traffic visibility.