As organizations invite more mobile and IoT devices into their networks and adopt increasingly complex multi-cloud architectures, data and workflows are no longer confined to a static and highly secured segment of the network. Web and application-based traffic comprise a higher volume of total traffic, with much of that traffic including sensitive data or accessing information that was traditionally hidden deep in the data center. To accommodate this change, organizations are increasing their reliance on encryption, primarily secure sockets layer (SSL) and transport layer security (TLS), to protect their data in motion.
More encrypted traffic than ever
As a result, encrypted traffic has hit a new all-time threshold of over 72 percent of all network traffic. That’s a nearly 20 percent increase in just a single year, up from 55 percent in Q3 of 2017. There are many benefits to this strategy, the most important of which is that it allows data, applications, workflows, and transactions initiated by both employees and consumers to travel wherever business requirements demand. In turn, this enables our global transition to a digital economy.
While in many ways the growth of encryption is a good thing for security, higher encryption rates also present severe challenges to deep inspection of traffic to monitor for and detect threats. Because encryption is merely a tool, it can be used to protect any traffic from detection, whether good or malicious. Cybercriminals, for example, are very aware of the growth of encryption and use it to their advantage to obscure their presence and evade detection, whether delivering malware of exfiltrating stolen data. And as the volume and percentage of encrypted data continue to grow, these criminal tactics are increasingly likely to be able to hide in plain sight.
Few security devices can keep up
One reason why this is a growing concern and is about to hit a critical threshold is that inspecting encrypted traffic imposes critical performance limitations on nearly all firewall and IPS devices available on the market today. Generally speaking, examining encrypted traffic puts an enormous strain on a security device. Using ciphers to decrypt and inspect SSL/TLS traffic correctly is extremely CPU-intensive.
According to recent test results from NSS Labs, very few security devices can inspect encrypted data without severely impacting network performance. On average, the performance hit for deep packet inspection is 60 percent, connection rates dropped by an average of 92 percent and response time increased by a whopping 672 percent. Even more concerning, not all products were able to support the top 30 cipher suites either, meaning that some traffic that appeared to be analyzed wasn't being processed by some of the security devices at all.
Of course, these types of results render most traditional security devices nearly useless in today’s networks where encryption is the norm and performance is critical. It’s also why most security vendors literally don’t publish their SSL/TLS inspection numbers and why salespeople tend to avoid the issue when it comes up. As a result, much of today’s encrypted traffic is not being analyzed for malicious activity—making it an ideal mechanism for criminals to spread malware or exfiltrate data.
At the same time, enterprises must be aware of and concerned if they are not decrypting and inspecting SSL traffic, not just from untrusted sources, but from devices – especially IoT – that have been intentionally deployed inside the network.
Addressing the challenge
Here are a handful of suggestions to help organizations address this growing security concern:
Practice good security hygiene – Nearly every list of recommendations should start here. The reality is that most problems encountered in today's networks are the result of a failure to patch, upgrade or replace vulnerable devices, to check configurations for errors and to harden things like ports to prevent easy exploitation.
Test your current devices – As your network environment continues to evolve, it is critical that you identify potential bottlenecks before they occur. Where possible, test existing security devices for performance issues when inspecting high volumes of SSL/TLS encrypted traffic. Likewise, check to ensure that they support all of the major ciphers. Here is the latest list of the Top 10 Ciphers gathered from the Alexa Top 1 Million from last August:
- ECDHE-RSA-AES256-GCM-SHA384 120,760
- ECDHE-RSA-AES128-GCM-SHA256 99,106
- ECDHE-ECDSA-AES128-GCM-SHA256 37,199
- ECDHE-RSA-AES256-SHA384 11,313
- DHE-RSA-AES256-GCM-SHA384 3,201
- ECDHE-RSA-AES256-SHA 1,932
- 0 1,805
- AES256-SHA 1,412
- DHE-RSA-AES256-SHA 1,330
- AES128-SHA 1,073
Implement network controls – An ounce of prevention is worth a pound of cure. In networking terms, that means engineering as much of the risk as possible out of the network. In the case of preventing a cyber incident due to encrypted malware, prevention includes implementing NAC to identify devices, automatically segmenting traffic to limit risk and using behavioral analytics so that when applications aren't where you expect them, or traffic is originating from an unexpected place, you get an alert.
Consider an off-device decryption solution – If your volume of encrypted traffic is overwhelming available resources, consider implementing a purpose-built solution whose only function is to decrypt and re-encrypt data.
Not all security devices are the same – Test results from third-party labs like NSS are your friend. Where possible, a fully integrated solution solves a lot of problems, especially when resources are tight. The truth is, a few vendors – albeit a tiny handful – have the SSL/TLS inspection challenge issue well in hand and should be examined to see if they are good candidates for replacing currently deployed solutions that can't keep up.
This is just the beginning
If your organization hasn’t been impacted by this challenge yet, it soon will be. There is no sign that traffic volume is going to slow down, nor that the percentage of network traffic being encrypted and needing specialized inspection is going to taper off. The best approach is to address this challenge before it becomes critical. The last thing you want to do is allow uninspected traffic to flow freely through your network, nor to be the victim of your own denial-of-service outage because your security tools could no longer meet your network’s performance requirements.