The Relevance of Network Security in an Encrypted World

The Relevance of Network Security in an Encrypted World

Network Security Encrypted World Lock

Encrypted traffic is increasingly used by bad actors to conceal cyber threats. Gartner states that 60% of cyberattacks carried out in 2019 leverage encryption, while by 2020, the figure is set to rise to 70%. Understanding how your security solutions recognize or prevent threats within SSL traffic is extremely important since many tools can’t do this.  This blog summarizes how security solutions can work with encrypted network traffic.

The Challenge of Encrypted Network Traffic

Encryption protects the confidentiality and privacy of sensitive data in motion. However, encryption also poses a challenge to network security products. If these products cannot inspect the payload of connections, they lose their ability to detect and respond to threats.

The Rise of Encrypted Data

The use of encryption on the Internet has risen dramatically. For example, the Google Transparency Report shows that the fraction of encrypted web traffic on the Internet has steadily increased, from around 50% five years ago to between 80% and 90% today.

Although the percentage of encrypted traffic on “the inside” — within the networks and data centers of organizations — is lower, initiatives such as the zero-trust network architecture will likely increase the number of organizations embracing encryption to secure internal data. Thus, it is important to understand how network security products can deliver visibility and protection in the presence of ubiquitous encrypted traffic.

Encrypting traffic prevents network security products from inspecting the payload. This means that they can neither leverage signatures to detect known threats nor extract objects (e.g., files or documents) before submitting them to a sandbox for deeper analysis. While this affects the effectiveness of network-based products, it does not mean that network security is obsolete. Users still need the complete coverage, the context, and the certainty that only the network can provide. However, users need the proper solution to obtain these resources.

Overcoming the Challenge: Lastline Defender

Lastline Defender is a Network Detection and Response (NDR) platform that detects and contains sophisticated threats. It does this by applying unsupervised Machine Learning (ML) to network traffic in order to detect anomalies, using supervised ML to create classifiers of malicious network activity and leveraging its Global Threat Intelligence Network to scan traffic for known malware payloads.

Lastline Defender employs two methodologies to deal successfully with encrypted communication: decrypting network traffic and analyzing encrypted traffic.

Analyzing Encrypted Traffic

Even when a Sensor has no access to decrypted traffic and payloads, Lastline provides significant protection against malicious activity. To achieve this, our solution inspects and uses traffic (connection) metadata and leverages the following three detection techniques: Anomaly Detection, Threat Intelligence and Indicators of Compromise and Encrypted Traffic Analysis.

Decrypting Network Traffic

Organizations have many reasons to inspect network traffic content, ranging from compliance to policy enforcement and security. For example, organizations may monitor outgoing data to detect the presence of sensitive information, ensure that employees only visit acceptable websites from their work computers, and understand if a compromised host connects to command and control (C&C) sites. To meet these objectives, many organizations have deployed instrumentation points that break open encrypted connections and allow security products to analyze payloads. Lastline Defender supports these instrumentation points, including Web Proxy, TLS Termination Proxy, Mail Transfer Agent and Active TLS Interception.

Additional Details

Download our white paper, Network Security in an Encrypted World, to learn the advantages as well as the challenges of security products that monitor encrypted network traffic and how Lastline Defender addresses these issues.

Dr. Christopher Kruegel

Dr. Christopher Kruegel

Currently on leave from his position as Professor of Computer Science at UC Santa Barbara, Christopher Kruegel’s research interests focus on computer and communications security, with an emphasis on malware analysis and detection, web security, and intrusion detection. Christopher previously served on the faculty of the Technical University Vienna, Austria. He has published more than 100 peer-reviewed papers in top computer security conferences and has been the recipient of the NSF CAREER Award, MIT Technology Review TR35 Award for young innovators, IBM Faculty Award, and several best paper awards. He regularly serves on program committees of leading computer security conferences. Christopher was the Program Committee Chair of the Usenix Workshop on Large Scale Exploits and Emergent Threats (LEET, 2011), the International Symposium on Recent Advances in Intrusion Detection (RAID, 2007), and the ACM Workshop on Recurring Malcode (WORM, 2007). He was also the head of a working group that advised the European Commission (EC) on defenses to mitigate future threats against the Internet and Europe's cyber-infrastructure.
Dr. Christopher Kruegel