Encrypted Traffic Inspection Lags as Malware Rises
Ransomware, malware, and other forms of cyber-attacks continue to rise. Ransomware alone increased by 151 percent globally in the first half of 2021; according to the FBI, there are now 100 different strains at large. Even in the face of this threat, inspect less than half of their web traffic for attacks, intrusions, and malware—and 28 percent inspect less than a quarter of their web traffic. Why do so many businesses risk allowing a threat into their environment? Often, it comes down to the widespread use of the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
TLS/SSL encryption is a popular and highly effective method for keeping computer hackers from snooping into traffic. Unfortunately, it also has the same effect on security devices—rendering them unable to detect ransomware and other malware. Hackers know this, and they make ample use of this vulnerability with as many as 46 percent of malware attacks using TLS/SSL encryption as part of their delivery and communication mechanisms in 2021.
This is clearly a major problem—and yet many companies continue to ignore the TLS/SSL encryption blind spot, failing to address it effectively.
Survey: Companies Recognize the Problem of the TLS/SSL Encryption Blind Spot
A recent survey by Pulse and A10 Networks explored the current opinions of technology leaders regarding encrypted traffic inspection. Unsurprisingly, the results found near-universal awareness of the security risks posed by TLS/SSL encryption. A full 97.5 percent of the technology executives, directors, and managers surveyed were concerned about the potential for a cyber-attack to be concealed within encrypted communications entering their network. With more than 50 percent of these organizations’ traffic being encrypted, this concern is entirely justified.
There is a solution available: encrypted traffic inspection. With this approach, companies decrypt inbound and outbound TLS/SSL traffic to allow inspection by their full network traffic security stack, including firewalls and intrusion prevent systems (IPS), data loss prevention (DLP), forensics, advanced threat prevention (ATP), and more. Once this inspection is complete and any detected malware has been blocked, traffic can be re-encrypted before continuing on its way.
But are companies actually taking advantage of this capability? If not, why not?
Perceived Pros and Cons of Encrypted Traffic Inspection
Companies are well aware of the security risks they face. Over 80 percent of respondents considered it likely that their organization has been the victim of a cyber-attack or malicious insider activity in the past 12 months. Most also recognize the potential value of encrypted traffic inspection, with 73 percent saying that the inspection of TLS/SSL traffic and visibility into it is moderately or very important to their company’s overall security infrastructure. And yet, when asked if their company decrypts web traffic to detect ransomware, malware, intrusions, and other forms of cyber-attacks, fewer than two-thirds answered affirmatively. Twenty percent said no—and 21 percent weren’t sure one way or the other, a possible sign that not every company is taking the issue as seriously as they should.
When asked why they weren’t decrypting traffic for inspection, companies cited a lack of tools and resources as well as concerns about privacy and performance. The former is simply a matter of priorities; given the scale of the cyber-attack risk, tools and resources for encrypted traffic inspection should be a must-have in every organization’s budget. Performance degradation, on the other hand, is a real and pervasive problem—encountered by 80 percent of respondents using decryption—that calls for a technical solution.
Typically, the reason for performance issues lies in the way encrypted traffic inspection is implemented. Often, decryption is approached as an add-on feature to existing elements of the enterprise security stack. However, these devices are not optimized for compute-intensive decryption and re-encryption processes. This results in bottlenecks in the network. The problem is compounded when the function is repeated by each individual device in turn—DLP, antivirus, firewall, IPS, and IDS—to allow its own inspection. As an alternative, companies can avoid performance penalties by deploying a dedicated and centralized decryption platform. As a specialized solution for encrypted traffic inspection, this platform can be optimized for the processing requirements of this function. By enabling a decrypt-once, inspect-many-times approach across the entire security stack, the platform can eliminate the bottlenecks and inefficiencies of a device-by-device approach.
A dedicated and centralized decryption platform can also help companies address privacy issues around encrypted traffic inspection. To ensure compliance with regulations such as GDPR, HIPAA, FISMA, PCI DSS, and Sarbanes-Oxley (SOX), the platform can selectively bypass traffic to banking and healthcare sites, and other traffic that might contain confidential banking or healthcare records, ensuring that this sensitive data will not be sent to security devices or stored in log management systems.
The High Cost of Inaction
As cybercrime grows more sophisticated each day, and as attacks become easier and cheaper to launch, companies can’t afford to leave gaps in their security posture. Damages from cybercrime are expected to total $6 trillion in 2021—and reach $10.5 trillion annually by 2025. A ransomware attack will strike every 11 seconds this year, with damage costs of $20 billion. And monetary damage is only part of the impact of these attacks; victims also suffer reputational harm, damaged customer relationships, regulatory fines, disrupted business operations, diverted IT resources, and more.