Decrypt-examine-encrypt: the overheads of security have a solution
One of the unpleasant truths of cybersecurity is that no single layer of protection is sufficient to protect an organization from every eventuality. In most cases, no single combination of cybersecurity measures will protect 100% of the time. That’s in direct contradiction of the tone of many security companies’ marketing materials, but seasoned professionals in cyber know better than to take any vendor’s claims on face value: it’s simply not worth the risk.
A proactive cybersecurity posture is one that’s dynamic, pretty much vendor-agnostic and that uses available tools and specialist applications where they’re best suited. When organizations want to examine traffic on their networks that include private, public and multi-cloud assets, the big stumbling point is encryption.
Encrypted data is now so ubiquitous that an unencrypted instance of a website or cloud-based service is enough to raise eyebrows among even non-technical end-users. Yet the effects of a successful attack will be as hidden by encryption as genuine, everyday traffic. Detection of anomalous traffic behavior is one thing (and oftentimes is useful), but for total network visibility, non-impactful methods of decryption/re-encryption on the network layer are necessary.
Inspecting encrypted traffic on-the-fly sounds expensive in terms of processor cycles, but as Chris Borales (Senior Product Marketing Manager at Gigamon) told Tech HQ recently, “If [bad actors] are communicating with their command-and-control server, [and] if you’re encrypting all of your internal traffic, that traffic effectively becomes hidden from all your security tools.”
The de facto standard in the type of specialist technology capable of decrypt-examine-encrypt at enterprise scale is Gigamon. The technology isn’t necessarily particularly complex at its root, but it does require a particular, highly optimized technology stack to achieve in any meaningful way without having to pay those network overhead dues.
A few years ago, there may have been an option to turn off encryption, for instance, on choice subnets or network segments. But today, encryption isn’t just a nice-to-have, a digital comfort blanket for the security paranoid. As well as giving users and private systems the protection they need, there are also, increasingly, regulatory controls in play. “When we look at things like GDPR,” Chris said, “you need to make sure that you are in compliance with government regulations that say that traffic has to be encrypted. So, if you’re turning on decryption, when traffic goes to X location, you need to be able to make sure that you’re re-encrypting it.”
If encryption is a blanket approach in 99.9% of settings, then should enterprises consider wide decryption and examination systems? It’s not really practical, Borales told us, to decrypt network-wide: “We partner with your security organization to find where on the network is the most vulnerable and deploy [the capability] there. It’s not something that can just be flipped on by a switch, it does require a lot of coordination between departments. So, you want to make sure that you are adding this capability only where you think the security risk is highest.”
One of the big challenges is the predominance today of cloud-based services that effectively extend the company LAN out onto the big WAN we like to call the internet. Can a LAN-based device handle this type of topology, we asked? “Using the Gigamon Deep Observability Pipeline, organizations can manage the data on their networks and […] distribute, analyze, transform or investigate that data whether the customer is using a combination of public or private cloud and on-prem. We need to be available everywhere networks are deployed.”
The changing nature of the modern business network is something that is an everyday reality for IT professionals, whether systems administrators, compliance specialists, or security analysts. As well as daily changes to topologies, there are also changes in technology: TLS 1.3 being front-of-mind in the context of encrypted packet streams (there’s a Gigamon whitepaper on this subject [PDF], by the way).
Many readers won’t be surprised by Chris’s next statement however: “The one thing that’s alarming, is that we’re seeing organizations still using TLS 1.0. And you’re seeing the presence of even SSL on internal and external traffic. So, you’re seeing these legacy, really legacy encryption methods that are not PCI compliant, and that just isn’t secure anymore.”
And while many enterprises will be assured that they are not at least among the lowest of low-hanging fruit, that’s little comfort when having to present metrics on security risk to the board. While no platform, or combination of platforms can assure utter safety, knowing precisely what’s happening deep in the OSI layers can make a significantly positive source of knowledge.
That’s what Gigamon brings to the table, and where it has made its name. To find out more, there’s a series of live demos and test drives to get started.