Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Performance, management and privacy issues stymie SSL inspections, and the bad guys know it

Maria Korolov | Sept. 20, 2016
The technology is there for companies to inspect SSL traffic, but performance, management and privacy concerns combine to hinder its adoption.

End point visibility is especially critical in helping detect malware that uses its own encryption methods, said Zulfikar Ramzan, CTO at RSA Security.

"And if you can tie that back into the network, that would be even more powerful," he added. "Early indicators are that this is an important and growing market going forward."

In addition to commercial tools, there are also home-grown solutions that companies can script themselves, said Anuj Soni, an instructor at the SANS Institute and senior threat researcher at Cylance.

"You can collect information about the files located on the disk, the registry configuration settings," he said.

When decryption isn't an option

SSL isn't the only form of encryption that attackers can use. Even simple-to-break ciphers like XOR can provide a level of security, and the more advanced encryption algorithms are practically unbreakable.

"It is all too simple for attackers these days to encode or encrypt communications," said Soni.

But that doesn't mean that there's nothing you can do.

"Even if you have no visiblity into the communications, you can look at the volume of data, the timing," said Soni. "You can determine the domain names and IP addresses that the traffic is going on. There are hundreds of artifacts produced across a traditional Windows operating system when packaging up documents. Even if malware is not resident on the machine, you can still find numerous artifacts that malicious activity has been taking place."

In addition, companies can ask themselves how much rogue encryption they want to have, said Jamz Yaneza, threat research manager at  Trend Micro.

"You shouldn't have weird kinds of encryption going through your networks," he said. "Companies should have policies where they flag weird encrypted traffic to places that they don't do business with or have contacts with."

Trend Micro's appliance inspects packets going through the network and looks at the non-encrypted portion surrounding the encrypted body of the message. For example, the destination has to be specified in plain text.

"It could take a few hundred years to break some types of encryption," said Yaneza. "But there's always a way for us to identify that type of traffic."

Security tools can look for indicators that the traffic is malicious, either in the way the message is encoded, in its source or its destination, in the way that it behaves.

"You can also create a baseline and match that baseline against the traffic on the network," he said. "And when there are anomalies, create policies for them."

Trend Micro also works with the major cloud application providers, like Dropbox, to close down malicious channels.

"We have great synergy with them," he said. "With Dropbox or Google Drive or One Drive, we tell them that there are accounts that are being abused by a malware author, and they take them down."


Previous Page  1  2  3  4  5  Next Page 

Sign up for CIO Asia eNewsletters.