In doing this, the company is still in control of the infrastructure they put in place. Olson said, “You can find a balance. Encrypt the traffic that doesn’t have a large impact on privacy. It’s a hot button topic, especially for enterprises because at the end of the day, it’s their network, their data, their computer. They are in a position to say they are allowed to surveil that data.”
Finding the balance means gaining some visibility into their network by determining how much traffic is SSL encrypted and not able to be inspected. “Everybody should ask how much traffic they want encrypted about their network. Have a conversation with users and talk about the value of SSL encryption and how they can do it without compromising privacy," said Olson.
In a recent webinar from A10 & Infonetics Research: Putting a Stop To Hidden Threats in SSL Traffic, Kasey Cross, security evangelist, A10 Networks said, “Your organization could be infected right now and you may not even be aware of it.”
Some security professionals think that they can detect threats by decrypting traffic on their firewall, but Cross said, “You really need to take into account your entire ecosystem and the fact that all of those products need to look at SSL traffic. You need to come up with a way to provide that SSL visibility to all of these product.”
The entire security ecosystem from DDoS prevention to SIEM or data loss prevention tools needs to look at traffic, including that encrypted traffic, said Cross. The trick is finding the way to provide that visibility efficiently, said Cross, “Because you don’t want to decrypt the traffic at every point or you are going to suffer really bad performance.”
Günter Ollmann, chief security officer, Vectra said, “The ability to inspect traffic is very helpful in being able to recognize loss and greatly reduce threats at the network level, but the security threats of SSL traffic are no different from any other major threats.”
While encryption does make it more difficult to detect or identify threats, Ollmann said, “If adequate logging is turned on, that logging will provide an evidence trail of the threats and activities that occurred during the attack. The SSL piece is again a metadata artifact, but the post attack investigation would focus on the logs themselves.”
Man-in-the-middle decryption offers an additional level of visibility, but Ollmann said, “Network monitoring and forensics is playing and will continue to play a larger part in identifying and mitigating these threats.”
While they can’t see the communication and they can’t see the data inside the transit, the other attributes about source information that security professionals can obtain, such as timing, frequency, and duration, can be used at a network level to detect threats.
Sign up for CIO Asia eNewsletters.