Encrypted Traffic: The Elephant in the Room for a Successful NDR Strategy

There has been ongoing dialogue among IT decision-makers on the increasing need for network-based visibility. However, with more than 95% of all Internet-based traffic being encrypted, there is a need for real-time decryption as a requirement for a successful Network Detection and Response (NDR) strategy, which is somewhat of the elephant in the room among IT professionals.

In addition, decision-makers face new challenges regarding compliance requirements to encrypt data while it moves across a network and also the need to continuously monitor network traffic. With these somewhat conflicting compliance requirements for both decryption and encryption, how can IT decision makers know the right choices to make for both and when to choose one over the other? In this article, we'll explore this topic, as well as how to securely decrypt network traffic – all of which are vital for a successful NDR strategy now and in the future.

Encryption and Decryption: A Primer

There are two main categories of encryption: symmetric and asymmetric. Symmetric encryption uses a single key that both parties need to have for communication to work. It has relatively small key sizes, is fast, and has low resource utilization. Asymmetric encryption needs two separate keys—one called the public key that is available to anyone, and the other called the private key that remains with the person or system that created the public/private key pair. With asymmetric encryption, key sizes are much larger. It also is much slower and needs a lot more resources.

The main problem with symmetric encryption is the need for both parties to have the same key. How do you exchange a key that needs to remain private across an untrusted medium such as the Internet? Either the key needs to be exchanged privately ahead of time, or a different medium is needed to exchange the key. As for asymmetric encryption, the challenge is from a speed and resource perspective.

Secure Transit Via Encrypted Data

Transport Layer Security (TLS) uses both of these types of encryption in order to securely transport data across the Internet. TLS relies on a certificate authority (CA), a trusted organization that verifies websites (and other entities) so that organizations know who they’re communicating with online. Here’s how it works: when a client sends a request to a server, the server responds with its signed certificate and public key. This allows the client to check with the CA and verify that the server is the system it says it is. The client then uses this public key from the server to send a message to establish a session key with this server—a key that only the server can decrypt with its private key—and communication continues with that session key. This is how we know that the data sent between the client and server is secure.

So, how can we decrypt this data? Trusted devices can be deployed on internal networks to ensure that traffic is still encrypted securely as it is sent out to the Internet while also allowing administrators to determine if portions of the traffic should be decrypted. This ensures that traffic remains secure when on untrusted networks while also allowing trusted applications to analyze the decrypted traffic. Once we've successfully decrypted the traffic, the best way to handle it is by sending it directly to the device that is going to analyze the traffic. This can be done with a Packet Flow Switch. Taking this approach allows for multiple copies of the decrypted traffic to be sent to different appliances. Decrypt once; analyze with multiple tools. This keeps latency down and ensures that only those appliances that need to see the decrypted traffic get access to it. 

A second decryption scenario is to share the server’s private key with the monitoring application. In this situation, the encrypted traffic is not decrypted until it is actually on the monitoring system, ensuring that it is not accidentally sent out in plaintext. Each of these decryption capabilities has its own uses, and which one is used is based on where the traffic is going and the version of TLS that is used.

Ultimately, there was a reason why traffic was encrypted in the first place, and to securely decrypt the traffic, it’s critical to understand the encryption procedure. Both processes are critical to understanding how to achieve better network visibility, threat detection, and response to the packet level.

Comprehensive Network Visibility for An NDR Strategy: Secure Decryption

Enterprise networks can't be protected against threats that aren't seen. While that might seem like a simple concept, it's hard to accomplish since today's enterprise networks are a complex mix of legacy networks, branch offices, and resources in home and remote environments, as well as public, private, and hybrid clouds.

NDR solutions should give enterprises comprehensive network visibility that is both broad (e.g., visibility across the entire digital infrastructure) and deep (e.g., down to a packet level). With 95% of all network traffic encrypted today, NDR solutions must have the ability to analyze encrypted traffic and securely decrypt it to detect threats that attempt to cloak themselves in legitimate encrypted traffic.

Further, NDR solutions should have multiple ways to safely decrypt traffic in real-time, as well as the ability to detect threats such as through statistical and behavioral analysis techniques, curated threat intelligence feeds, open-source rules, and signature engines, as well as other advanced threat analytics potentially backed by machine learning or artificial intelligence.

Using a Packet-based NDR Strategy

Without question, networks will be breached. And security teams will rely upon many different cybersecurity tools, such as TLS encryption and decryption, to protect their organizations from a successful cyberattack. As networks become more complicated and threat actors and their malware become more sophisticated, the network remains a strategic vantage point from which to protect a business from cyberattacks. Highly scalable and packet-based NDR solutions provide network intelligence and data that fill the gaps in the SOC Visibility Triad, making the existing cybersecurity stack, staff, and overall cybersecurity simply better. But to implement a successful NDR strategy, network managers must first prioritize a strategy for safer decryption of encrypted traffic to successfully mitigate attacks now and in the future.

Erik Hjelmstad is a Senior Security Solutions Architect at NETSCOUT.

Related articles: