Performance, management and privacy issues stymie SSL inspections, and the bad guys know it

The technology is there for companies to inspect SSL traffic, but performance, management and privacy concerns combine to hinder its adoption

1 2 Page 2
Page 2 of 2

However, financial firms also have some unique challenges when it comes to SSL decryption, he added.

"The case studies aren't there yet, but you might run the risk that the forensic integrity of a transaction that goes through a termination SSL connection might be challenged," he said.

Endpoint-based approaches

Encryption and decryption doesn't have to take place on the periphery of the network.

Some companies are avoiding potential management, performance and privacy issues by inspecting SSL traffic right at the end points.

Avast, for example, offers an HTTPS scanner that looks for signs of malware and sits on the end user's computer.

"It's a man-in-the-middle approach," said Michal Salát, threat intelligence director at Avast Software. "The user lets Avast, the program, scan the data that goes through, but the data isn't transferred anywhere else."

The tools can also spot whether the files are being sent to a suspicious destination.

However, Avast doesn't inspect the files for other types of content, such as sensitive documents or personally identifiable information, so it's not a data loss prevention solution.

Avast isn't alone. Several other companies also offer tools that sit at end points and watch out for suspicious activity.

For example, enSilo sits on servers and endpoints to look for behaviors that violate normal operating principles.

"We come with a whitelist out of the box," said Roy Katmor, CEO at enSilo. "We know how Windows is built and how it's supposed to work, and if something within that flow led to a communication request that broke the operating system, we will prevent that communication from happening. That makes us agnostic to the application or to the encryption method."

End point visibility is especially critical in helping detect malware that uses its own encryption methods, said Zulfikar Ramzan, CTO at RSA Security.

"And if you can tie that back into the network, that would be even more powerful," he added. "Early indicators are that this is an important and growing market going forward."

In addition to commercial tools, there are also home-grown solutions that companies can script themselves, said Anuj Soni, an instructor at the SANS Institute and senior threat researcher at Cylance.

"You can collect information about the files located on the disk, the registry configuration settings," he said.

When decryption isn't an option

SSL isn't the only form of encryption that attackers can use. Even simple-to-break ciphers like XOR can provide a level of security, and the more advanced encryption algorithms are practically unbreakable.

"It is all too simple for attackers these days to encode or encrypt communications," said Soni.

But that doesn't mean that there's nothing you can do.

"Even if you have no visiblity into the communications, you can look at the volume of data, the timing," said Soni. "You can determine the domain names and IP addresses that the traffic is going on. There are hundreds of artifacts produced across a traditional Windows operating system when packaging up documents. Even if malware is not resident on the machine, you can still find numerous artifacts that malicious activity has been taking place."

In addition, companies can ask themselves how much rogue encryption they want to have, said Jamz Yaneza, threat research manager at  Trend Micro.

"You shouldn't have weird kinds of encryption going through your networks," he said. "Companies should have policies where they flag weird encrypted traffic to places that they don't do business with or have contacts with."

Trend Micro's appliance inspects packets going through the network and looks at the non-encrypted portion surrounding the encrypted body of the message. For example, the destination has to be specified in plain text.

"It could take a few hundred years to break some types of encryption," said Yaneza. "But there's always a way for us to identify that type of traffic."

Security tools can look for indicators that the traffic is malicious, either in the way the message is encoded, in its source or its destination, in the way that it behaves.

"You can also create a baseline and match that baseline against the traffic on the network," he said. "And when there are anomalies, create policies for them."

Trend Micro also works with the major cloud application providers, like Dropbox, to close down malicious channels.

"We have great synergy with them," he said. "With Dropbox or Google Drive or One Drive, we tell them that there are accounts that are being abused by a malware author, and they take them down."

That works well with large-scale attacks, where file sharing sites and other collaboration platforms are used as command and control centers, or to collect exfiltrated data.

"And if it's a one-off situation, that is an anomaly," he added. "It's weird, it doesn't happen regularly."

1 2 Page 2
Page 2 of 2
New! Download the State of Cybercrime 2017 report