Without proper inspection, encrypted data can be a significant security threat as the volume of malware in encrypted traffic grows. Most organizations are unprepared to conduct proper traffic analysis to cope with the issue. That\u2019s the takeaway from two sets of new research into the threat malware hidden in encrypted traffic poses to organizations.While CISOs might be aware of the risk of malware, most of it, a whopping 91.5%, is arriving over encrypted connections, according to the latest WatchGuard Internet Security Report Q2 2021. What makes this statistic so alarming is that just 20% of organizations are equipped to monitor encrypted traffic\u2014meaning 80% of organizations are potentially missing most malware by not decrypting traffic for security scans.Specifically, WatchGuard found just two malware variants, XML.JSLoader and AMSI.Disable.A, accounted for more than 90% of malware detections over secure web connections. Without some method of efficient traffic analysis and having the means to identify even this a small number of variants, the threat level is high.The sheer volume of malware delivered on encrypted traffic has also seen a huge spike. Like many areas where it has supercharged problems, the pandemic has driven a 314% increase on 2020 levels of malware hidden in encrypted traffic, according to Zscaler\u2019s ThreatLabz: The State of Encrypted Attacks, 2021 report, which analyzed billions of threats delivered over encrypted channels in 2021.Performance concerns and privacy considerations are the biggest reasons this malware is getting through. \u201cToo frequently, inspection of encrypted traffic is not employed because of the performance hit. This is why so much malware enters organizations over port 443\u2014no one is decrypting the packets to look for malware. We have to modernize our security architectures to address the performance requirements when decryption and deep packet inspection are required,\u201d says Matt Stamper, CISO and executive advisor at EVOTEK, who is also president of the ISACA San Diego Chapter.Stamper is in favor of conducting threat models to review different inherent risks involving malware in encrypted traffic. He also believes that security architectures must take into account that most traffic can and should be encrypted.Stamper points to the need to scale the security architecture to match the threat. \u201cFor CISOs, it\u2019s incumbent on them to look at risk expansively and to understand where there may be organizational blind spots, areas where our current security architecture and security monitoring practices may leave the organization unwittingly exposed,\u201d he says.Stamper believes that part of the defensive play is extending zero-trust principles to not trusting encrypted traffic by default. \u201cTo provide or enhance assurance, encrypted traffic should be decrypted, inspected, and triaged and done so in a manner that doesn\u2019t undermine system and network performance,\u201d he says. However, legacy security architecture is ill-equipped to do this at scale. It\u2019s why organizations wanting to weed it out are \u201cworking quickly to modernize security practices to catch up with adversarial tactics,\u201d he adds.Start by limiting user access to dataStephen Green, lead security architect for Unisys\u2019s APAC region, also points to the usefulness of applying zero-trust principles, in this case, to limit users' access to only what is needed.\u00a0\u201cThen ensure that state of the art endpoint security is applied,\u201d Green tells CSO.This threat isn\u2019t new. In fact, it is cheap, easy, and accessible to attackers. What makes this threat more dangerous now is that bad actors can turn to generic cloud-based URLs, such as through Amazon S3, reducing the effectiveness of common go-to security controls like URL filtering. \u201cIt\u2019s a significant threat for organizations that don't have a clear plan in place to deal with this vector at multiple layers,\u201d says Green.CISOs should also be clear about what needs to be protected before instituting any new technical fixes, according to Green, then adopt defense-in-depth principles to layer security controls around the asset to be protected. Threat modelling can then be applied to both design and test the controls. It\u2019s an approach that moves outward toward the threat source and continues \u201cto layer controls, eventually getting to 'URL filtering', 'SSL\/TLS interception and malware scanning' used where applicable to inspect and screen traffic on the fly,\u201d he says.\u201cEach control has its weakness. For example, SSL\/TLS interception is prone to breaking websites, and sometimes exceptions are put in place. This is why defense in depth via overlapping controls is so important to mitigate risk,\u201d Green adds.Green\u2019s advice to CISOs looking to reduce the threat level is to consider how vulnerable the organization is to this kind of attack. As a simple equation, \u201cRisk = threat x vulnerability,\u201d he says. To quantify the risk CISOs must also look at the probability of it happening and the impact if it does happen. \u201cTo assess impact, ask questions like: 'How dependent on technology is the business to operate?' Today, that dependency is typically high. 'How interdependent are my different technology systems?' \u2013 i.e., will one system being attacked cause a domino effect within the organization?\u201dManaging the privacy considerations\u00a0While technically possible, decrypting traffic opens other considerations, namely privacy. Here, Green says CISOs need to first seek legal advice about what is considered acceptable for decryption and review privacy principles based on the applicable countries of operation. \u201cImplement procedures and standards spanning people and technology that align to the corporate policies, as well as to any legal and security requirements. Then regularly or continuously assure compliance with the relevant privacy laws,\u201d he says.When it comes to managing the privacy considerations, Evotek\u2019s Stamper agrees that decrypting traffic can surface important privacy considerations. \u201cSensitive content will be visible as a result of the decryption process. That being said, there\u2019s important context around how this would be handled and, importantly, where this would occur,\u201d he notes.Stamper suggests an approach that entails the CISO and the organization\u2019s privacy officer reviewing the context and implications where encrypted traffic is indeed decrypted and inspected for security and other purposes (such as data loss prevention).\u201cIdeally, the triage of this traffic should occur with advanced security applications managed by a small number of well-vetted employees such that there is a \u2018machine\u2019 review of the traffic to review for malware and other issues with limited human intervention,\u201d Stamper says.