Beware of security blind spots in encrypted traffic

The growth of encrypted traffic has put the spotlight on intrusion prevention systems that help to surface cyber attacks conducted under the cloak of network encryption

Network encryption is often seen as a double-edged sword in cyber security, giving consumers the ability to ensure the privacy and security of their internet transactions while handing cyber criminals the same tools to mask their malicious activities.

According to technology research firm Gartner, encrypted traffic has grown by more than 90% year over year, with 80% of all web traffic expected to be encrypted by the end of 2019.

As such, gaining visibility into corporate networks is key to fending off cyber attacks that stay under the covers of encryption protocols such as the widely used Secure Sockets Layer (SSL) and Transport Layer Security (TLS).

If left unchecked, the rise of encrypted traffic, particularly those that originate from employee devices connected to corporate networks, can potentially result in malware infections and data exfiltration, ceding control of key information and IT assets to command and control (C2) servers.

Blake Sutherland, vice-president and general manager for Trend Micro TippingPoint, said encryption can take place on either side of a device, so rules on unencrypted portions of data packets are applied to determine if encryption was done for the purpose of exfiltration or enabling C2 communications.

“A lot of organisations have a F5 BIG-IP system that terminates the SSL in the datacentre, and our devices would be placed behind that to see the traffic,” he told Computer Weekly on a recent visit to Singapore.

On the maturity of Asia-Pacific enterprises in adopting intrusion prevention systems (IPS) from the likes of TippingPoint that examine encrypted traffic for signs of malicious activity, Sutherland said financial institutions are typically more advanced than healthcare service providers.

“One of the things that’s driving that spectrum of maturity is the global shortage of cyber security resources,” he added. “And I understand that’s particularly bad here.”

Sutherland assuaged concerns that IPS would affect network and application performance, noting that TippingPoint’s IPS engines are designed to push legitimate traffic through quickly, particularly for internet of things applications that could be slowed down by high latencies.

To handle peaks of encrypted traffic, Sutherland said enterprises can stack appliances, while on the cloud side, it is a “yet to be uncovered problem” as virtual private clouds still cannot handle high throughputs.

Amid global talent shortages in cyber security, Trend Micro, like most other security suppliers, uses machine learning techniques to surface alerts on potential cyber threats that stay under the covers of encrypted traffic.

Automated decisions are then made to block known threats, while passing legitimate traffic along and calling out suspicious traffic that requires further investigation.

With more organisations subject to personal data protection regimes, legitimate outbound encrypted traffic to internet banking websites from employees’ internet browsers, for instance, can be allowed to pass via policy rules – a feature that TippingPoint will be releasing this fall.

“It’s policy based because we don’t want customers to be breaching privacy laws, so we need to offer controls to tune when they decrypt and when they don’t,” Sutherland said.

Read more about cyber security in APAC

Read more on Antivirus, firewall and IDS products