Encrypted Traffic Analysis: Increasing Visibility of your Encrypted Estate

Safeguarding sensitive customer, client and employee data has always been important, but has become a key responsibility for organisations in recent years.

This has resulted in a sharp increase in the adoption of encryption – both in transit and at rest – which is now mandated by many governments and regulators across the globe, with major financial and reputational penalties for firms failing to adhere to these requirements.

To ensure they are compliant, using best-practise and are maintaining the privacy of business-critical data, 62% of the top 1000 internet websites globally now use TLS 1.3 – the current standard ensuring strongly encrypted communications. However, encryption remains widely misunderstood and, more often than not, can be poorly applied, causing growing issues for security and compliance teams, charged with maintaining standards and protecting end-user and transactional privacy.

When an organisation’s encryption is poorly deployed, maintained or managed, the privacy of data can be compromised. This is commonly seen in highly-regulated industries, when organisations might lack the required understanding of how encryption is being used “in-flight” across their organisation and whether they are meeting regulatory standards. This can be a combination of ownership over the implementation, governance and monitoring of the use of encryption, with a failure to clearly define who is responsible for managing encrypted security solutions, and legacy infrastructure that hasn’t been properly maintained.

Even in organisations that implement strong security standards, encryption can still present a significant challenge. Due to the volume of encrypted data firms need to manage, decryption alone isn’t enough to provide visibility of potentially malicious traffic. Instead, organisations need to discover new methods of analysing and understanding network traffic, in order to mitigate against cyber risks in parts of their network where visibility using traditional tooling remains a challenge.

Mitigating the risks of encrypted traffic

Attackers are increasingly able to hide malicious activity within legitimate encrypted network traffic, creating blind spots and enabling them to breach the perimeter of unsuspecting organisations. Attacks over encrypted channels increased by an enormous 314% in the first three quarters of 2021 alone. While these attacks aren’t necessarily particularly sophisticated, the lack of true visibility over encrypted traffic is providing malicious actors with almost unfettered access to private networks. Traditionally, this might have been solved by decryption and inspection, however the increasing volume of data makes this difficult. There are complexities in decrypting the huge volumes of data of traffic using modern encryption protocols that are being generated by and traversing today’s enterprise organisations. Some of the more recent standard protocol features  like “Perfect Forward Secrecy” in TLS1.3, force strong encryption between the client and server making decryption much more difficult. For many organisations, there are also significant financial costs to consider.

The challenge for organisations now is to successfully identify malicious, aberrant or simply suspicious encrypted communications, once a beachhead has been established. The single most effective method of reducing risk to sensitive data is to gain oversight of encrypted traffic, without the need to wait for decryption. This requires security teams to gear their approach towards detailed analysis of all encrypted communications, and full, real-time understanding about the traffic that is passing over networks.

An emerging method of risk detection is Encrypted Traffic Analysis (ETA). ETA facilitates analysis and oversight of encrypted traffic, without decryption, via a combination of machine learning, artificial intelligence, and behavioural analytics. This has useful applications for security teams in understanding the behaviour of traffic across networks, and receiving real-time updates and alerts without any impacts on latency or privacy. Significantly, the rate at which malicious activity can be found, isolated and dealt with reduces business risk considerably.

A great number of organisations will use static analysis to understand the certificate, but this strategy fails to offer critical information required on what specific settings and features are actively negotiated and used for the individual sessions. As such, the visibility, provided by ETA platforms, can ensure the encryption put in place by organisations is as secure as needed.

The value in ‘measuring and mitigating’ 

The protection of data privacy doesn’t have one singular solution. To minimise the risk of data breaches, organisations must shift to using best practise security solutions and maintain the very latest in data security knowledge.

Visibility and understanding is crucial in the new age of encryption, helping organisations to truly understand what is happening with their network security. In this way, they must begin to move away from the traditional ‘detect and decrypt’ approach, instead focusing on methods to ‘measure and mitigate’ for real-time knowledge and understanding over activity on their encrypted networks.

About the Author

Simon Mullis is Chief Technology Officer at Venari Security. Venari Security is the only company in the world focused on encrypted traffic analysis without decryption. We provide organisations with visibility and insight into their encrypted attack surface and how encryption is actively used across their enterprise. Enabling these organisations to define, measure, monitor and maintain strong encryption standards, highlighting and reporting on deviation. Giving them actionable insights and intelligence about their encrypted traffic.