What Shark Week Can Teach Security Professionals About Encrypted Traffic Management (ETM)

Featured article by Bradon Rogers, SVP Product Strategy and Operations, Blue Coat

Just as you don’t know what’s lurking in the ocean water at the beach this summer, many organizations aren’t aware of the cyber threats hiding in their encrypted communications. As today’s threat landscape continues to evolve, SSL/TLS encryption is being widely adopted to protect enterprise communications while ensuring data privacy.

Network encryption does a lot to protect the privacy and integrity of communications, but it can also have a dark side. In the same way that the ocean conceals what’s swimming below its surface, malicious threats lurk silently and undetected within encrypted traffic. A growing number of security professionals are overconfident about their ability to handle security threats hidden in SSL and TLS communications. In fact, 85 percent of security professionals believe their organizations have this issue covered, however, Gartner reports that only 20 percent of next-gen firewalls (NGFWs) and unified threat management solutions (UTMs) actually inspect SSL traffic. Further many other traditional security controls such as IPS, DLP and sandboxing technologies are simply rendered blind to encrypted communications. What makes this so concerning is that additional research has shown dramatic increases in malware using SSL in the last two years. This dangerous mix of the growth of encrypted traffic and the blind spots it leaves behind make it clear that organizations are shark bait, just waiting for an attack.

Looking back on Shark Week, I’ve come to realize that the ocean’s most feared predator has a lot to teach us about encrypted traffic management (ETM). Here are some of the lessons that the Discovery Channel can teach IT security professionals this week:

There is something lurking beneath: Unlike the clear water off the coast of Florida, it can be difficult to see one’s own feet when treading water in Cape Cod. Similarly, while SSL/TLS encryption is widely used to secure communications to internal and external servers, it can blind security tools by preventing complete inspection of network traffic, increasing risk. This lack of visibility into SSL can make it difficult or impossible for network administrators to enforce acceptable use policies and to ensure that threats like viruses, spam and malware are stopped before they reach individual users. Most security tools are blind to SSL traffic, and while encryption is a valuable resource, it must be managed to ensure optimum performance. ETM solutions complement traditional security controls and intelligently feed devices like DLP and anti-malware technologies with a feed of traffic that they can see, allowing them to actually see the content they are blind to otherwise. Most importantly proper ETM does not have to tradeoff privacy, in fact protecting the sanctity of critical transactions and personal privacy should be a core tenant of proper ETM.

Appearances can be deceiving: Popular culture has made us believe that all sharks are out to get us. However, there are a number of sharks who aren’t aggressive such as whale, angel and nurse sharks. When it comes to ETM, the appearance of web traffic can also be deceiving. What many organizations fail to realize is that most threats actually come from legitimate websites, not those questionable looking ones. What’s more, many threats penetrate from inside the organization. As a result, security professionals must selectively decrypt and inspect both inbound AND outbound SSL traffic, not just block its access, to ensure proper communications and maintain continuity of operations. For example, by decrypting outbound as well as inbound traffic, security professionals can identify hacker command and control (C&C) communications originating inside the network.

With activity comes attack: Unfortunately, the number of shark attacks each year is increasing. Many experts attribute this to the increased number of people spending time at the beach and in shark-populated waters. Just as more of us are flocking to the beaches during the warmer months, NSS Labs predicts a 20 percent growth in SSL traffic per year. Corporate adoption of cloud services and mobile apps will only accelerate this growth since any credible cloud service will leverage SSL in their communications with users. As an organization’s network perimeter expands, so should its security team’s ability to manage encrypted traffic, otherwise, they risk undue exposure to increased attacks.

There’s only one threat lurking: Sharks aren’t the only animals in the ocean that pose a danger to humans. Jellyfish, Stingrays, Killer Whales and others all pose a serious threat. The same way that popular culture makes it seem that all ocean attacks come from sharks, organizations often assume that malicious activity is getting in through one specific SSL-based application or TCP port (such as port 80). However, hackers love hiding threats in SSL, and the use of SSL for exploits is growing faster than SSL itself. According to Gartner, by next year more than 50 percent of network attacks targeting enterprises will use SSL to avoid detection. As organizations look for an encrypted traffic management solution, it is important to select a strategy that can automatically monitor SSL traffic on any port; not only standard ports, such as 443, 465, 990, 993 and 995, but obscure, unconventional ports used by new application types and by hackers trying to evade detection by traditional security devices.

Turn prey into predator: It is said that sharks have only one predator, humans. In turn, the only thing that malicious actors need to fear is being detected. IT Security professionals are the only ones that can stop malicious actors and their hidden behavior within encrypted traffic, as it will most likely appear harmless to end users and the network infrastructure overall. ETM solutions that offer comprehensive, policy-based visibility and control over encrypted traffic allow organizations to maximize protection and minimize risks. A holistic ETM strategy will enable organizations to meet their various business needs and protect user’s privacy, while addressing their security, corporate and compliance mandates.

The world around us is constantly evolving, and attackers are always looking for ways to enter an organization without being detected. Today, it is encrypted traffic, tomorrow, it will be something else. If the movie Jaws taught us anything, its that waiting is a dangerous game, and you might just end up sinking when the shark makes his return to take a bite out of your boat. However, with the proper tools you can see a dangerous shark well before it’s near you and make it back to shore unscathed. In much the same way, encrypted traffic must be effectively managed to ensure proper visibility of threats. By doing so, organizations can keep their users and information protected from the sharks of the internet who wish to take a bite out of their organizational resources by hiding underneath the surface.