the visibility void
TRANSCRIPT
Security Empowers Business
Security Report
THE VISIBILITY VOIDAttacks through HTTPS can be a
vulnerability for enterprises
2
The use of encryption protocols, Transport Layer Security (TLS) or Secure Sockets Layer (SSL), to protect web and email content is now entering its second decade. Research conducted by Canadian broadband management company Sandvine, found the number of Internet users encrypting their online communications has doubled in North America and quadrupled in Latin America and Europe over the past year alone.1 Thankfully, encryption is here to stay, but it is not without its risks.
To identify hidden threats to the business, enterprises need complete visibility into encrypted traffic. However, to comply with local privacy regulations and their own acceptable use policies, enterprises must have the means to selectively decrypt this traffic. An encrypted traffic management strategy must consider various business needs, established corporate policies, and compliance mandates.
The Visibility Void
1 https://www.sandvine.com/downloads/general/global-internet-phenomena/2014/1h-2014-global-internet-phenomena-report.pdf
3
The dawn of a digital dark ageAs privacy concerns reach an all-time high, the industries where data represents
a prized commodity – social media, mobile, and communications – have
understandably responded by broadly adopting encryption. Personal privacy
concerns have led to goliaths such as Google, Amazon and Facebook switching
to an “always on HTTPS” model to protect data in transit (see Fig 1.).
Every minute, at least 4,000,000 Google searches; 2,460,000 shares on
Facebook; 48,000 Apple app downloads; and 23,300 hours of Skype
conversations take place2 – all of which take place protected by SSL encryption.
Google has recently announced that HTTPS sites are more positively weighted in
Google search results.3
All this increased adoption of “transport encryption” takes place in an
environment where use of encryption technology in general is becoming routine.
For example, technology giant Apple recently announced its iOS 8 operating
system will encrypt all data, by default, on its phones and tablets; the protected
data includes photos, messages, contacts, reminders and call history. The
explosion of data created by an ever-connected world and growing concern
about data privacy means much more opportunity for serious cyber threats and
data loss.
The Visibility Void
2 DOMO, Data Never Sleeps 2.03 http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html
TOP 10 MOST VISITED WEBSITESGrowing Use of Encryption
Google.com1Facebook.com2Youtube.com3Yahoo.com4Baidu.com5Wikipedia.com6Amazon.com7Twitter.com8Linkedin.com9Qq.com10
Sites NotEncrypted
EncryptedSites
(HTTPS)
Figure 1: 8 out of the Top 10 global websites use HTTPS (Source: Alexa)
4
But does encrypted mean safe?In a typical seven-day period, Blue Coat found that 69% of the top 50 websites
visited by its customers use HTTPS by default. Only sites focusing on publishing
daily news or entertainment (e.g. ESPN, BBC News, CNN, or Pandora), use
the easily-monitored unencrypted HTTP protocol. Of the top 10 most visited
customer sites globally, as ranked by Alexa, nearly all use encryption to deliver
at least some content. In order to try and manage encrypted traffic, some
companies block traffic to these sites, despite employee requests to browse
those websites during working hours.
While a benefit for privacy purposes, the blanket use of encryption means that
many businesses are unable to govern the legitimate corporate information
entering and leaving their networks, creating a growing blind spot for enterprises.
This growing visibility void also creates opportunities for attackers to deliver
malware directly to users, bypassing network security tools. The lack of visibility
into SSL traffic represents a potential threat especially given the fact that benign
and hostile uses of SSL are indistinguishable to many security devices.
The tug of war between personal privacy and corporate security is unfortunately
leaving the door open for novel malware attacks involving SSL over corporate
networks. For corporations to secure customer data, they need visibility to make
sure they can see the threats hiding in encrypted traffic.
The hostile use of encryption is set to increase in the coming years. Gartner
believes by 2017 more than half the attacks on networks will employ some form
of encrypted traffic to bypass security.4 This in part will be due to large web
properties and hosting services making a switch to the HTTPS protocol. While
banks and shopping sites already protect data using such encryption, HTTPS is
becoming the rule, rather than the exception.
The Visibility Void
4 Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, Jeremy D’Hoinne and Adam Hills, December 9, 2013
BY 2017 MORE THAN HALF THE ATTACKS
ON NETWORKS WILL EMPLOY SOME FORM OF
ENCRYPTED TRAFFIC TO BYPASS SECURITY.
5
The good news: You can maintain privacy and still be secureOf great concern is the low level of sophistication malware coders need to
compromise a network using encryption. Why? Many enterprises are under
the illusion that what they can’t see can’t hurt them. Malware attacks, using
encryption as a cloak, do not need to be complex because the malware
operators believe that encryption prevents the enterprise from seeing what they
are doing.
Blue Coat’s Global Intelligence Network routinely observes encrypted traffic used
for the delivery and command and control of malware, as well as other types
of malevolent activity, such as phishing. Some of these attacks not only steal
personal data from the infected machine, but leverage that machine’s position
within the corporate network to pivot and steal sensitive enterprise information.
Knowing that no one wants to stop encrypting traffic, enterprises need a way to
stop threats that are being delivered through encrypted traffic. The good news
is that maintaining the privacy of employee personal information and adhering
to compliance regulations is possible, while still protecting the enterprise from
unwanted intrusions and threats. A policy-based solution decrypts and inspects
only targeted traffic, to enhance network security while complying with laws
and policies. Open and transparent security protocols, along with tight controls
limiting the use of decrypted data (e.g., network security), can be combined with
regional and tailored IT monitoring notices to employees to maintain compliance
with privacy protocols.
The true risk for an enterprise is to consider privacy and security as mutually
exclusive. Privacy should not be a trade-off for security. Legitimate business
justifications allow the enterprise to keep the network secure and IP protected
while maintaining integrity of personal data.
Encrypted Traffic Management allows organizations to protect stakeholders
by being smart about what is seen and what is not. Encryption isn’t the enemy
– it protects your business, customers and employees. Encrypted Traffic
Management is essential to ensuring the safety of virtually anything worth
protecting. Services such as email, banking and finance, cloud-based services,
and industrial systems control some of the most important data in any company.
The Visibility Void
IN A TYPICAL 7 DAY PERIODThe Global Intelligence Network Receives…
Over 100,000 requests to known malware servers over
HTTPS – a strong indication of exfiltration in progress
Over 40,000 requests to newly classified malicious
hosts over HTTPS – a strong indication of new infections
Sunday
Weekly Planner
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Figure 2: In a typical seven-day period, Blue Coat Labs receives around
100,000 requests for information about sites using HTTPS protocol for command
and control of malware.
6
However, the dangers associated with this protective wrapper around messaging,
file-transfer technologies and cloud applications cannot be ignored. Significant
data loss can occur as a result of malicious acts by hostile outsiders or
disgruntled insiders, who can easily transmit sensitive information. Today a
watchful team of security incident responders is required or the consequences
can be serious.
Closing the curtainsAs already mentioned, malware hiding in encrypted traffic is typically
unsophisticated, presenting an opportunity for businesses to easily find and
block attacks once decrypted.
Despite concerted effort from government and private enterprises against cyber
criminals’ intent on exploitation, the onslaught is unforgiving. After authorities
effectively shut down Zeus5, one of the most successful Trojan horse malware in
a coordinated raid, criminals intent on data theft needed an alternative. Dyre, a
widely distributed, password-stealing Trojan originating in the Ukraine, is trying
to take over the power vacuum left behind when Zeus shut down. With a cyber
equivalent of Whack-A-Mole taking place, Dyre quickly replaced Zeus using the
same infection mechanisms, and achieving the same goals, with the help
of encryption.
All of Dyre’s command-and-control traffic is, by default, communicated back
to an infrastructure over TLS/SSL. Without decryption the bot can enter an
enterprise network undetected, luring targets into clicking links to malware
contained in phishing emails. Once in, criminal organizations extract user
information under the cover of encryption so they can sell it to the highest bidder.
The Visibility Void
DECRYPTION AND PRIVACY CAN CO-EXIST.
5 http://en.wikipedia.org/wiki/Zeus_(Trojan_horse)
7
Encryption and VisibilityAs a result of recent massive data breaches and the regular use of encryption
that can mask the criminal exfiltration of proprietary information, encrypted traffic
needs to be properly managed. Encrypted Traffic Management is a mechanism to
responsibly use encryption to protect data, whilst preventing actors with hostile
intent from abusing these services.
Decryption does not have to compromise privacy; rather it provides enterprises
a way to effectively manage traffic. The risk of a security incident, which could
ultimately lead to serious data loss, is not something that just happens to other
companies. It is time to take charge of privacy instead of turning a blind eye to
the growing volume of encrypted traffic. The visibility void created when the web
turns its lights out on network traffic has serious implications for the enterprise,
yet holds the key to data privacy. By approaching encrypted traffic with a clear
policy-driven management approach, businesses can take to the frontline in
cyber warfare.
Best Practices for Managing Encrypted TrafficSecurity demands must be balanced with privacy and compliance requirements.
Because employee privacy policies and compliance regulations vary
geographically, per organization and per industry, businesses need flexible,
customizable and policy-driven decryption capabilities to meet their unique
business needs. To preserve employee privacy while combating threats hiding in
encrypted traffic IT security departments should:
• Take inventory and plan for growth – Assess the volume of SSL encrypted
network traffic in your organization (we typically see 35 percent – 45 percent of
network traffic being encrypted), including the mix of traffic types (not just web/
HTTPS traffic), current volume and projected increase.
• Evaluate the risk of un-inspected traffic – In addition to malware coming
into the enterprise, examine what type of data is at risk from both a security
(exfiltration) and privacy standpoint. Share insights across IT, security, HR and
legal departments.
• Create an action plan – Evaluate employee “acceptable use” policies, privacy
requirements and compliance regulations and create formal policies to control
and manage encrypted traffic based on traffic type, origination and other
security and privacy vulnerabilities.
• Apply granular policy control – Selectively identify, inspect, and decrypt web-
based SSL traffic according to your established policies. Decrypted data can
then be processed by the security tools you have already invested in on the
network, such as network antivirus, advanced treat protections solutions, DLP
and others.
• Monitor, refine and enforce – Constantly monitor, refine and enforce the
privacy and security policies for encrypted applications and traffic in and
out of your network and make sure it is in synch with corporate policy and
regulations.
The Visibility Void
8
Security Empowers Business
Blue Coat Systems Inc. www.bluecoat.com
Corporate Headquarters Sunnyvale, CA +1.408.220.2200
EMEA Headquarters Hampshire, UK +44.1252.554600
APAC Headquarters Singapore +65.6826.7000
© 2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos,
ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse,
Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV,
ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee,
“See Everything. Know Everything.”, “Security Empowers Business”, and BlueTouch
are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in
the U.S. and certain other countries. This list may not be complete, and the absence
of a trademark from this list does not mean it is not a trademark of Blue Coat or that
Blue Coat has stopped using the trademark. All other trademarks mentioned in this
document owned by third parties are the property of their respective owners. This
document is for informational purposes only. Blue Coat makes no warranties, express,
implied, or statutory, as to the information in this document. Blue Coat products,
technical services, and any other technical data referenced in this document are
subject to U.S. export control and sanctions laws, regulations and requirements, and
may be subject to export or import regulations in other countries. You agree to comply
strictly with these laws, regulations and requirements, and acknowledge that you
have the responsibility to obtain any licenses, permits or other approvals that may be
required in order to export, re-export, transfer in country or import after delivery to you.
v.BC-THE-VISIBILITY-VOID-EN-v1f-1114