The Relevance of Network Security in an Encrypted World
Encrypted traffic is increasingly used by bad actors to conceal cyber threats. Gartner states that 60% of cyberattacks carried out in 2019 leverage encryption, while by 2020, the figure is set to rise to 70%. Understanding how your security solutions recognize or prevent threats within SSL traffic is extremely important since many tools can’t do this. This blog summarizes how security solutions can work with encrypted network traffic.
The Challenge of Encrypted Network Traffic
Encryption protects the confidentiality and privacy of sensitive data in motion. However, encryption also poses a challenge to network security products. If these products cannot inspect the payload of connections, they lose their ability to detect and respond to threats.
The Rise of Encrypted Data
The use of encryption on the Internet has risen dramatically. For example, the Google Transparency Report shows that the fraction of encrypted web traffic on the Internet has steadily increased, from around 50% five years ago to between 80% and 90% today.
Although the percentage of encrypted traffic on “the inside” — within the networks and data centers of organizations — is lower, initiatives such as the zero-trust network architecture will likely increase the number of organizations embracing encryption to secure internal data. Thus, it is important to understand how network security products can deliver visibility and protection in the presence of ubiquitous encrypted traffic.
Encrypting traffic prevents network security products from inspecting the payload. This means that they can neither leverage signatures to detect known threats nor extract objects (e.g., files or documents) before submitting them to a sandbox for deeper analysis. While this affects the effectiveness of network-based products, it does not mean that network security is obsolete. Users still need the complete coverage, the context, and the certainty that only the network can provide. However, users need the proper solution to obtain these resources.
Overcoming the Challenge: Lastline Defender
Lastline Defender is a Network Detection and Response (NDR) platform that detects and contains sophisticated threats. It does this by applying unsupervised Machine Learning (ML) to network traffic in order to detect anomalies, using supervised ML to create classifiers of malicious network activity and leveraging its Global Threat Intelligence Network to scan traffic for known malware payloads.
Lastline Defender employs two methodologies to deal successfully with encrypted communication: decrypting network traffic and analyzing encrypted traffic.
Analyzing Encrypted Traffic
Even when a Sensor has no access to decrypted traffic and payloads, Lastline provides significant protection against malicious activity. To achieve this, our solution inspects and uses traffic (connection) metadata and leverages the following three detection techniques: Anomaly Detection, Threat Intelligence and Indicators of Compromise and Encrypted Traffic Analysis.
Decrypting Network Traffic
Organizations have many reasons to inspect network traffic content, ranging from compliance to policy enforcement and security. For example, organizations may monitor outgoing data to detect the presence of sensitive information, ensure that employees only visit acceptable websites from their work computers, and understand if a compromised host connects to command and control (C&C) sites. To meet these objectives, many organizations have deployed instrumentation points that break open encrypted connections and allow security products to analyze payloads. Lastline Defender supports these instrumentation points, including Web Proxy, TLS Termination Proxy, Mail Transfer Agent and Active TLS Interception.
Download our white paper, Network Security in an Encrypted World, to learn the advantages as well as the challenges of security products that monitor encrypted network traffic and how Lastline Defender addresses these issues.