The ongoing Apple versus the FBI debate has me thinking more about the implications of encryption. Whether or not national governments around the globe choose to go down the path of further regulating encryption key lengths, requiring backdoors to encryption algorithms, mandating key escrow for law enforcement purposes, or generally weakening the implementations of encrypted communications and data storage in consumer technologies, the use of encryption will increase – and in parallel – network visibility of threats will decrease.
While there are a handful of techniques available to enterprise network operators that will allow data inspection of encrypted flow, for all practical purposes they are of dwindling appeal and practicality. Host-based agents – while providing visibility of pre- and post-encryption communications – are easily bypassed by those with malicious or criminal intent. Meanwhile, in a world of increasingly diverse computing and mobile platforms, coverage for the expanding array of devices and operating systems means it is likewise increasingly impractical to deploy.
Like a final front-line push prior to a cease-fire deadline, SSL terminator (or accelerator) technologies are being promoted as a solution. Hopes are certainly high that such technologies can “man-in-the-middle” SSL Internet-bound communications and provide the levels of deep packet inspection of an earlier age. However, the reality is – not only is enterprise-wide deployment and management of such devices (including the addition of appropriate certificate authority credentials on the client systems and devices) increasingly difficult – the scope of what can be detected and mitigated through such inspection is rapidly decreasing.
Social media sites and online search engines have led the way in moving from SSL-by-default to wholly encrypted communications. We can then expect those sites to get smarter in not only detecting that SSL man-in-the-middle is being used to intercept traffic, but that the adoption of various SSL certificate key pinning standards will prevail for all other Internet services as well.
Today, many organizations hope that evil hackers and malware using SSL as a means to control compromised systems and as an evasion aid will stand out amongst the authorized (unencrypted) traffic of a closely monitored corporate network. It’s an obviously flawed plan, but some true believers still feel it may be a viable technique for a few remaining years.
Smart CxOs should be planning for the day when all of their network traffic is encrypted and deep packet inspection is no longer possible. In many networks, half of all Internet-bound traffic is already encrypted (mostly HTTPS) and it’s likely more than three-quarters of network traffic will be encrypted within the next couple of years. With this increase, the prospect of inspecting the content layer of traffic will have mostly disappeared.
While the loss of content-level inspection will have a measurable effect on the network security technologies we’ve been dependent upon for the last decade or two (e.g. IDS, DLP, ADS, WAF, etc.), security teams will not be blind. While threats have advanced and encryption has covered the landscape like a perpetual pea soup fog, there remains plenty of “signals” in the transport of encrypted data and the packets traversing the corporate network.
Just as the revelations of how law enforcement agencies around the globe consistently use “metadata” associated with cellular traffic logs (e.g. from, to, time, and duration of the call) to identify and track threats without being able to listen to the actual conversation, a similar story can be formulated for network traffic – without being reliant upon the content of the messages (which we can presume will be encrypted now and more so in the future).
A new generation of network-based detection technologies – using machine learning and traffic modeling intelligence – have entered the security market. These new technologies are proving to be just as accurate (if not more accurate) than the legacy detection technologies that required deep packet inspection to identify threats and determine response prioritization.
Network security architects – and those charged with protecting their Internet-connected systems – need to re-assess their defensive strategies in the wake of increased encrypted communications traffic. A smart approach would be to architect defenses with the assumption that all traffic will soon be encrypted. By all means, continue to hope that some level of content-layer inspection will be available for critical business data handling, but plan for that to be an edge case.
Günter Ollmann is CSO of the cloud and AI security devision at Microsoft and an advisor for Vector AI. Previously, he held the position of CSO at Vectra where he assisted in building the next generation of threat detection technologies capable of illuminating persistent threats, lateral movement, IoT integrity compromise, and attacks that bypassed the front-door. Günter was also a founder and principal at Ablative Security as well as an advisor for C3 Security and Yaxa. He received a B.S. in applied physics and mathematics and a M.S. in atmospheric physics at the University of Auckland.