As I’ve mentioned in several recent blogs, enterprise organizations are encrypting more and more of their network traffic. A majority (87%) of organizations surveyed as part of a recent ESG research project say they encrypt at least 25% of their overall network traffic today.
CISOs realize that network encryption is a mixed blessing as it protects the confidentiality/integrity of network traffic but also represents a new threat vector. Given this, 87% of organizations surveyed report that they decrypt and then inspect SSL/TLS traffic for signs of reconnaissance activity, malware, C2 communications, etc.
Decrypting and inspecting SSL/TLS traffic is the right thing to do from a security perspective, but this activity comes with its share of operational and technical challenges. For example, ESG research indicates that:
- 26% of organizations say that it is difficult to integrate SSL/TLS decryption and various packet filtering technologies. This is a major problem as it may be wise to inspect this traffic by sending it through AV engines, sandboxing appliances, web threat gateways, etc.
- 24% of organizations say that their networking team is suspicious of any technology that may impact performance or disrupt network traffic for a critical service. This is an old and familiar story: The security team wants to inspect network traffic in-line while the networking team prefers tools that hang off a span port and run in promiscuous mode.
- 22% of organizations say that their security and networking teams have some collaboration problems that impact their ability to inspect SSL/TLS traffic. Nothing new here.
- 22% of organizations say that their security team has various problems related specifically to SSL/TLS (i.e., certificate management, proxy configurations, acceptable ciphers, etc.). This is understandable as the PKI and encryption subtleties demand expertise and can be difficult to configure and operate.
In my last blog on this topic, I mentioned that only 20% of organizations have taken a strategic approach to SSL/TLS traffic decryption/inspection, while 80% continue to do this tactically with manual processes and assorted tools deployed throughout the network. The issues described are quite common when organizations address network security tactically—integration issues, performance issues, organizational issues, etc. These challenges may be manageable in the short term, but they will likely become more acute as encrypted network traffic continues to grow.
So what does a network security strategy for SSL/TLS traffic decryption/inspection entail? More on this soon.