Are network-based security detection tools going dark?

In cybersecurity, there is no shortage of detection tools designed to alert organizations to potential threats.  To over-simplify things, you can broadly categorize these into two camps (although there are others):  Endpoint Detection tools, and Network Detection tools. Each provide unique benefits and a unique perspective upon threats, but each also have their drawbacks.

Endpoint detection solutions, like virus scanners or ETDR systems provide visibility upon what happens on the endpoint, regardless of where the endpoint is located.  If the user encounters a threat while at the local coffee shop or at home, the endpoint can continue to be protected.  However, an endpoint solution can only defend systems upon which they are installed.  As most organizations are not heterogenous (I.E. 100% Windows 10, for example) and most endpoint solutions do not have solutions for every platform (I.E. mobile devices and Linux servers may not be covered), endpoint solutions must be augmented with other solutions to get total visibility. 

Network-based detection solutions (such as IDS/IPS, ATP, NTA) have provided visibility into places where endpoint cannot (and vice-versa). By observing all traffic exchanged within a location, you can identify threats associated with devices upon which no endpoint solution is or could be installed.  Network-based security solutions provides a single point of access to protect the largest portion of your organization. 

As it is the case with all detection tools, you cannot detect a threat which you cannot see, and you cannot prevent threats you cannot detect.  Endpoint solutions cannot detect threats on devices where they aren’t installed, and network-based solutions can’t detect threats in network traffic that they can’t interpret.

Encryption is turning out the lights on network security solutions

Network Encryption, like SSL and TLS, is an important tool for privacy and its benefits for organizations cannot be overstated.  However, the benefits of network encryption cut both ways.  Bad actors can use encryption technologies to obfuscate attacks, obscure command and control (C2), hide downloads of malware or other malicious payloads, and even hide exfiltration of company assets.  If the network detection solutions cannot interpret the data they analyze, they cannot detect the malicious behavior either.

Unfortunately, the problem is getting worse.  NSS labs predicts that, by 2019, 75% of all network traffic will be encrypted.  While user demand for privacy is certainly influence this trend, this increase is not exclusively demand driven.  Services like Let’s Encrypt are making it far easier to implement encryption on websites, and Google has also been promoting adoption by considering encryption as a factor in page rank.

To address this growing blind-spot, many organizations try and implement decryption mechanisms to promote visibility into their network traffic by their security monitoring tools, but this too presents a challenge.

The challenge of decryption

Organizations do have some strategies to help regain some visibility into encrypted network communications.  There are many solutions to decrypt ingress or egress traffic within an organization.  Some solutions provide standalone decryption capabilities for the purpose of delivering unencrypted network flows to one or more security and detection appliances, while some security appliances integrate this capability directly.

There are several factors that must be considered before selecting a decryption strategy.  Decrypting SSL and TLS traffic can be resource intensive and can potentially introduce additional latency into the end user experience.  As such, you want to use decryption sparingly when necessary.

The first point of consideration is the number of detection tools the organization has that may take advantage of decrypted data.  If the organization only has a single detection device, performing decryption on the device may be an option.  However, if there are multiple tools, each needed access to decrypted data, the user should consider a “decrypt once” strategy, having a single decryption engine delivering decrypted data to all of the security tools before re-encrypting the data and delivering to the target. 

Additionally, as decryption is resource taxing, performance of the appliance can be impacted when enabled. In many cases, enabling decryption can drop performance of a device by 50%.  This may obfuscate the total cost of ownership of performing decryption within the security appliance.  Be sure to factor in the cost incurred by performance degradation before selecting.

The second factor is what information needs to be decrypted.  Encrypted data may fall on one of two sides of a spectrum of importance.  On one side, you may have “high-volume, low risk” encrypted data that would be costly do decrypt, with little return on the investment.  For example, decrypting a Netflix session may be very resource intensive, with the associated risk for not decrypting being low.  Users may elect to bypass decrypting such data as a result.  At the other end of the spectrum, you may have important sensitive data, such as end-user personal banking data.  While this would be infrequent and potentially low impact to system resources, once decrypted you may be placing your organization in the role of safeguarding that data.  For liability purposes, you may elect that the risk of access to sensitive data while decrypted may outweigh the risk of attack by way of that attack vector.

Finally, some newer technologies such as TLS 1.3 present additional challenges to decrypt, and may require a “Man in the middle” approach to decryption.  Organizations must decide whether to ratchet-down encryption methods that present decryption challenges (decreasing potential privacy), introducing more active man-in-the-middle approaches (increasing complexity) or ignoring complex encryption algorithms (introducing a potential attack vector).

Policy decisions

Ultimately, many of these paths include policy decisions.  Should your organization introduce decryption technology, and if so how and where?  What data should your organization decrypt and how will it safeguard user privacy in the process?  What will be your organization’s stance on the decryption of newer, more complex algorithms?  As is the case for many security challenges, it depends on the goals of your organization, and often includes the balance between convenience and security efficacy.

Network-based detection has always been a strong part of an overall security ecosystem.  With increased use of encryption technology, these tools must adapt to make sure they have adequate visibility into the threats from which they hope to protect us.