The challenge of encrypted traffic for network defenders [Q&A]

When it comes to protecting sensitive information like financial data, personal information, and intellectual property, encryption has become a must. By scrambling data through the use of algorithms, only those with access to decryption keys are able to read what's being secured.

Encrypted traffic has fulfilled its intended mission: to lock down data. But, could it simultaneously be helping bad actors slip by undetected? And could encrypted traffic actually make it harder for network defenders to spot threats before it's too late?

To find out, we sat down with Phil Owens, VP of customer solutions at Stamus Networks. Phil believes organizations don't have to choose between securing data or making the job of network defenders easier. The secret? Leveraging network detection and response (NDR) and non-decryption techniques, which allow security analysts to identify and respond to threats quickly. Read on to hear what Phil has to say about the challenges of encryption and how to overcome them.

BN: Why is the use of encryption on the rise?

PO: To put into perspective just how common encryption has become, Google reports that more than 95 percent of traffic on the web today is encrypted compared to 50 percent in 2014 -- that's a huge jump! Why is the use of encryption skyrocketing? There are a few reasons. First, more websites are implementing HTTPS, which encrypts communication between a user’s browser and the server. And it's usually offered for free now to anyone hosting a website. Beyond browsers, apps such as WhatsApp and Signal offer end-to-end encryption to secure messages so that service providers can't read them. In the business world, encryption is critical for transferring data securely between locations and for securing data at rest -- for example on individual computers, in databases, or entire cloud deployments. Finally, depending on where organizations are located or do business, encryption may be required to comply with data privacy regulations such as GDPR and CCPA.

BN: What are the challenges of encryption for security teams?

PO: Encryption is a great tool for enhanced privacy and information security, but it also presents a major challenge for network defenders because it creates blind spots. It's like putting a blindfold over their eyes and asking them to go find the most imminent threats. If they can't see the contents of encrypted traffic, they aren’t able to detect malware, data breaches, and other malicious activity and respond quickly before damage is done. This allows bad actors to hide their threats among the very data they’re trying to keep safe.

BN: Is decryption not an option?

PO: Decryption seems like the obvious answer here, but for some organizations, it's simply not an option. Decryption provides full visibility into the contents of the sessions taking place within the network, and as a result, faster threat detection and response. However, these benefits can also create many other challenges. Decryption fundamentally defeats the purpose of encryption, leaving potentially sensitive information exposed to bad actors. This can lead to privacy concerns and regulatory non-compliance issues. For organizations facing these obstacles, decryption is not an option.

BN: If decryption is off the table, where can organizations turn?

PO: Many organizations may not be aware that the network offers tremendous opportunity for solving this decryption dilemma. NDR is a powerful tool allowing organizations to analyze network traffic for anomalies and suspicious behavior, even within encrypted data streams. Advanced techniques, such as fingerprinting, machine learning, and behavioral analysis, help determine potential threats, which can then be set up to trigger automated responses. Again, this is all done without decryption.

There are several non-decryption mechanisms that can be used to do this, including:

• TLS metadata -- Extracted from the handshake at the beginning of a TLS session. This can be used to spot behaviors and anomalous activities on the network.
• JA4/JA4s client-server fingerprints -- A unique fingerprint derived from a hash of TLS handshake metadata. It doesn’t rely on IP addresses. • Host behavior anomalies -- Identifies never-before seen hosts and users on the network. Deviations help trigger investigations.
• Command and control beacons -- Periodic messages used by malware to establish and maintain communications with control and command centers. This helps identify suspicious command and control centers used by malware, enabling early detection.
• Cipher suite identification -- Cipher suite determines encryption algorithms used in a network session. Comparing cipher suites to industry standards can help determine relative security levels and determine if encryption meets organizations policies.

If none of these mechanisms is an option, alternatives do exist, including external decryption and built-in or endpoint decryption -- both of which come with their own set of pros and cons.

For security teams who find themselves unable to gain greater visibility into encrypted traffic, it's important to remember that solutions exist. NDR is a powerful way for network defenders to analyze network traffic and spot anomalies before threat actors can do serious damage.

Photo credit: Maksim Kabakou/Shutterstock