The Fast Mode spoke to Adrian Belcher, Solutions Architect at Gigamon on new encryption technologies and their impact on today's networks. Adrian joins us in a series of discussions with leading vendors in the traffic management, service assurance, traffic monitoring, analytics, policy control and network security space, assessing various attributes of encryption, its benefits as well as the challenges it poses, specifically loss of visibility that makes networking increasingly complex.
Tara: How does encryption affect network security?
Adrian: In a recent Gigamon survey, we found that 59% of global IT and Security professionals agreed the ransomware crisis worsened towards the end of 2022, and 95% had experienced ransomware attacks over the last 12 months. What’s more, adversaries are becoming more sophisticated and targeted in their tactics, techniques and procedures (TTPs). And while 5G is inherently more secure, getting cybersecurity right for wireless networks requires a total paradigm shift and a new set of skills for security professionals to master.
Therefore, ransomware attacks are almost inevitable for organisations in the telecommunications space and they are also becoming more devastating. To combat this issue and better protect sensitive data from unauthorised users, encryption both at rest and in transit must be treated as a critical pillar of an enterprise’s cloud and network security posture. The good news is that, according to Google, 95% of global internet traffic is encrypted. This is because encryption is being increasingly used by enterprises who are seeking to meet stringent security mandates while simultaneously moving more workloads to the cloud and embracing software-as-a-service (SaaS) applications.
5G networks also encrypt more data than previous network evolutions, which may seem wholly positive on the surface. However, there is a downside to the proliferation of encryption: it is not simply used as a tool against cybercriminals, but it’s increasingly leveraged by the threat actors themselves. They typically use encryption to hide malware, conceal malicious communication and mask any stolen data that is being exfiltrated. In fact, over 3.3 million cyber-attacks in 2022 were hidden in encrypted traffic. Given how extensively enterprises are relying on encryption both for compliance and security, the criminal hijacking of SSL/TLS encryption is a top concern. Security teams therefore need a way to gain visibility into all data in motion, encrypted traffic included, to ensure it is safe.
Tara: What technologies/techniques can potentially help in delivering visibility into encrypted traffic?
Adrian: Encryption essentially blinds security monitoring tools. But visibility, especially into east-west traffic, is necessary for not only the detection of threats that may be moving laterally and using encryption to do so undetected, but also for compliance with data protection legislation, to troubleshoot any network bottlenecks or inefficiencies and to measure performance more accurately.
A pipeline of deep observability is integral for boosting visibility, and therefore security, in encrypted traffic. By deep observability we mean actionable, real-time, network-level intelligence that amplifies the power of the monitoring tools that many organisations will already have in place. This solution is becoming vital to support the telecommunications industry with reducing the complexity of their networks, eradicating blind spots where threat actors may be hiding, and also flattening the 5G cost curve.
Traffic intelligence through TLS decryption forms a key part of the deep observability pipeline for service providers. It enables IT and security teams to analyse encrypted traffic in order to monitor network performance and protect their encrypted data from malicious actors. TLS decryption powered by deep observability is invaluable for not only getting this all-important visibility into encrypted traffic, but also re-encrypting data to ensure compliance.
It is worth noting that decryption is hugely computationally intensive and can cause latency across the network. The best architecture is therefore one that reduces the decryption needed to analyse all traffic. In fact, decrypting should be centralised – done once and fed into every tool – rather than at each end-point. And while there are a number of options out there, many can create performance challenges. Web security gateways and firewalls will decrypt data but cannot then deliver this traffic to other security tools, for example. Security teams need to implement a centralised platform that provides a single pane of glass view across all architectures, feeding into all tools in order to get TLS decryption right without causing further issues down the line.
This interview is a part of The Fast Mode's Real-time Visibility for Encrypted Traffic segment, featuring 34 leading IP networking solution providers and their views on the impact of encryption on traffic visibility. A research report on this topic will be published in February 2023 - for more information, visit here.
