Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Decrypt SSL traffic to detect hidden threats

Kacy Zurkus | Feb. 3, 2016
The percentage of encrypted Internet traffic continues to grow creating a space where not only private information but also criminals can travel about undetected.

The percentage of encrypted Internet traffic continues to grow creating a space where not only private information but also criminals can travel about undetected. In the last five years, the advent of SSL traffic from major companies like Google, YouTube, and Twitter has spawned an expansive movement toward encrypting Internet traffic for enterprises as well. 

The risk in taking this security measure, though, is that while the exchange of information via the Internet is secured, bad guys can also linger unnoticed. Criminals, of course, know this and use it to their advantage, cloaking their attacks within Transport Layer Security (TLS) or Secure Sockets Layer (SSL) traffic.

Ryan Olson, director of threat intelligence unit 42, Palo Alto Networks said the concern for security professionals is that the security firewall can’t inspect the traffic. The bad guys know this, which leaves many companies trying to figure out what traffic to decrypt and how to go about decrypting.

Olson said, “The answer is not that simple. If a company decrypts everything, users are uncomfortable.” In order to secure the environment without compromising privacy, they need another layer, which means deciding from a policy perspective what they are going to encrypt and why.

“In some organizations, emails might be a threat vector, so a company might choose to decrypt that traffic, but the answer is going to differ for each company because they need to consider things from a cultural perspective as well.”

When traffic is encrypted, said Olson, it becomes this opaque glob of data. “Without being able to inspect, a criminal is hidden from those who are surveilling traffic as it would be from anyone else. You’re blind because you have no idea of what is contained inside.”

Because security teams can’t look inside the encrypted traffic, they don’t know whether it is data going out or coming in. In order to mitigate threats, security teams need to be able to see into the encrypted traffic.

Olson said, “An SSL connection occurs from browser to server. A signed certificate says ‘ok’, there’s an exchange of keys, and they encrypt all traffic from one end to the other.” The problem isn’t so much at either end, though, as it is right smack dab in the middle.

“Add a new certificate so that we can decrypt, which is only possible in a corporate environment,” said Olson. “For a security vendor to step into that traffic, they need to terminate traffic at two points. For example, a user browser reaches out to Google, a firewall captures the traffic and terminates the connection. We decrypt, inspect, re-encrypt, and then make a connection up to Google.”

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.