threats are hiding in encrypted traffic on your … · ssl blind spots: data exfiltration...
TRANSCRIPT
![Page 1: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/1.jpg)
1
T H R EAT S A R E H I D I N G I N E N C RY P T E D T R A F F I C O N YO U R N E T W O R KManoj Sharma |Technical Director | Symantec Corp
Mark Sanders | Lead Security Architect | Venafi
![Page 2: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/2.jpg)
2
W H AT YO U W I L L L E A R N
• Why encryption and digital certificates are helping our adversaries
• How to architect for today and tomorrow’s SSL/TLS threatscape
• What you need to successfully run your operations
• What’s your 45 day action plan
2
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 3: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/3.jpg)
3
S S L / T L S T H R E AT S U P D AT E
![Page 4: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/4.jpg)
4
P R O B L E M : Σ Κ Ό Τ Ο Σ = S C O T O M A = B L I N D S P O T
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 5: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/5.jpg)
5
5 0 - 7 5 % A N D C L I M B I N GOf enterprise network traffic is encrypted with SSL/TLS today
5
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 6: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/6.jpg)
6
“ 5 0 % O F N E T W O R K AT TA C K S W I L L U S E S S L / T L S B Y 2 0 1 7 ”
6
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
70% of
“ 7 0 % N E T W O R K AT TA C K S W I L L U S E S S L / T L S B Y 2 0 2 0 ”
![Page 7: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/7.jpg)
7
7
E N C R Y P T E D T U N N E L S M E A N S E C U R I T Y S Y S T E M S
C A N ’ T S E E W H AT ’ S C O M I N G
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 8: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/8.jpg)
8
T R A D I T I O N A L S E C U R I T Y S Y S T E M S C A N ’ T K E E P U P W I T H P E R F O R M A N C E N E E D E D T O
D E C R Y P T A N D I N S P E C T S S L / T L S N E T W O R K
8
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 9: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/9.jpg)
9
9S o u r c e : P o n e m o n I n s t i t u t e . 2 0 1 6 G l o b a l E n c r y p t i o n T r e n d s S t u d y . 2 0 1 6
D I F F E R E N C E S I N E N T E R P R I S E E N C R Y P T I O N S T R AT E G I E S B Y C O U N T R Y
![Page 10: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/10.jpg)
10
M A LWA R E A N D O U T B O U N D S S L
![Page 11: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/11.jpg)
11
S S L / T L S : H I D D E N D A N G E R S
11
Bad Actors are using encryption to:
• Hiding Malicious Actions and Messages
• Hiding the Initial Infection
• Hiding the Command and Control Channel
• Hiding Data Exfiltration
2987 blacklisted SSL certificates: https://sslbl.abuse.ch/
• Most (recently) are Dyre C&C, KINS C&C, Vawtrak MITM, Shylock C&C, URLzone C&C, TorrentLocker C&C, CryptoWallC&C, Upatre C&C, Spambot C&C, Retefe C&C, ZeuS MITM, etc.
* TCP Ports used by Dyre Trojan for Hidden Command & Control
- Blue Coat Labs
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 12: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/12.jpg)
12
B A D G U Y S A R E E VA D I N G D E F E N S E S
Threat
Actors
Nation States
Cybercrime
Hactivists
Insider-Threats
Ho
st A
V
NG
FW
IDS /
IP
S
Traditional Enterprise Defenses
DLP
SIE
M
Em
ail G
ate
way
Web
Ap
plica
tio
n F
irew
all
Tra
dit
ion
al W
eb
Gate
way
Traditional
Threats
Known Threats,
Known Malware,
Known Files
Known IPs/URLs
Advanced
Threats
Novel Malware
Zero-Day
Threats
Targeted Attacks
Modern HTTPs
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 13: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/13.jpg)
13
S S L / T L S : H I D D E N D A N G E R S
13
Users: Are they SSL Aware?
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 14: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/14.jpg)
14
“ N E X T B I G H A C K E R M A R K E T P L A C E W I L L B E I N S T O L E N C E R T I F I C AT E S ”
14
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 15: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/15.jpg)
15
W H AT D O Y O U T H I N K T H I N G S L O O K L I K E ?
Secure Communications
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 16: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/16.jpg)
16
T H I S I S W H AT I T REA L LYL O O K S L I K E
Secure Communications
Server Authentication
Secure Communications
Server Authentication
Client-side Server Authentication
Client-side Authentication
SSL Keys & Certificates
SSL & SSH Keys & Certificates
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 17: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/17.jpg)
17
M O R E K E Y S , M O R E C E R T I F I C A T E S , M O R E E N C R Y P T I O N
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 18: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/18.jpg)
18
A R C H I T E C T I N G F O R S S L / T L S T H R E AT S
![Page 19: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/19.jpg)
19
A R C H I T E C T U R E G A P A N A LY S I SToday Ready for Threats
Role of Decryption Non-Existent/Tactical Strategic
Inspection Points Few
Performance Struggling Wirespeed
Outbound Decryption: Internal trusted root CA
Inbound Decryption: all keys & certs available
Few All available
Inbound Decryption: keys &certs securely distributed
Email, flash drive, file server Encryption distribution w/o people
19
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 20: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/20.jpg)
20
B A L A N C I N G C O M P L I A N C E A N D D ATA P R I VA C Y
20
2) Assure custody and integrity of encrypted data
LEAD TO REQUIREMENTS
1) Manage what type of information is decrypted
DATAPRIVACY
CONCERNS
RISK OFADVANCED
THREATS
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 21: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/21.jpg)
21
I N B O U N D A N D O U T B O U N D T R A F F I C
Inbound SSL Decryption Web & Email Servers,
Customer Web Portals
Web, Email & Portal Servers
Security Solution
Internet
IPS & IDS
AV
DLP
APM
SIM & SIEM
Forensics
Outbound SSL DecryptionEncrypted Email,
Social Networks, CRM, etc.
Clients
Internet
IPS & IDS
AV
DLP
APM
SIM & SIEM
Forensics
Security Solution
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 22: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/22.jpg)
22
P K I A R C H I T E C T U R E F O R I N S P E C T I O N
Inbound Outbound
Enterprise Root
SSL DecryptionIntermediate
www… app.. v125..
google.com outlook.com dropbox.com
STATIC
STATIC
GENERATED ON THE FLY
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 23: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/23.jpg)
23
A R C H I T E C T U R E F O R V I S I B I L I T Y
23
GATEWAY /FIREWALL
CLIENT
CORPORATE SERVERS
SSL VISIBILITY APPLIANCE
CLIENT
GLOBAL INTELLIGENCE NETWORK
Encrypted trafficDecrypted traffic
INTERNET SERVER
NG IPS
SANDBOX
SECURITY ANALYTICS
❶
❹❸❷
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 24: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/24.jpg)
24
S S L B L I N D S P O T S I N A C T I O N : D ATA I N F I LT R AT I O N + E X F I LT R AT I O N U S I N G S S L• Malware Infiltration and Data Exfiltration
using Wireshark
• Compare pcaps from identical operations with and without SSL Inspection enabled in the network.
• Download from a file magnetic* from sourceforge.net (HTTP Download)
• Download a known file using HTTPS: Infiltration
• Upload sensitive data using HTTPS: Exfiltration
24
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 25: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/25.jpg)
25
25
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 26: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/26.jpg)
26
S S L B L I N D S P O T S : D ATA E X F I LT R AT I O N E X P E R I M E N TSymantec DLP Network Prevent Details:• Base OS: MS Windows 2012 R2
• DLP Network Prevent Software Version: 14
• DLP Network Prevent configured to monitor HTTP and HTTPS ports.
SSL Inspection Device:Hardware Mode:SV800 / Software Version 3.8.2-409
Experiment:
1. Upload sensitive data using HTTP
2. SSL Inspection Disabled: Upload sensitive data using HTTPS
3. SSL Inspection Enabled: Upload sensitive data using HTTPS
26
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
NOTE: SYMANTEC DOES NOT CLAIM THEY CAN INSPECT SSL TRAFFIC ON THEIR NETWORK DLP PRODUCTS
![Page 27: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/27.jpg)
27
27
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 28: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/28.jpg)
28
E C O N O M I C S O F S S L D E C R Y P T I O N
• Cost of No-Action=Infection=Intrusion=Breach=$
• Direct
• Low performance -> higher cost to reach needed throughput
• Incomplete support for latest ciphers creates unseen blindspots
• Indirect
• Time and effort to identify, gather, distribute, and update keys & certificates
28
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 29: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/29.jpg)
29
O N G O I N G O P E R AT I O N S
![Page 30: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/30.jpg)
30
M A I N TA I N I N G D E C R Y P T I O N
• Capture new keys and certificates (including those generated outside of IT security)
• Update renewed, rekey keys and certificates throughout SSL/TLS chain (e.g. firewall, load balancer, WAF, etc.)
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 31: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/31.jpg)
31
• Higher security than TLS 1.2
• Only supports use of handshake mechanisms that provide Perfect Forward Secrecy
• RSA key exchange not supported
• Most existing ciphers are no longer supported
• Only support AEAD cipher suites• AES-GCM, AES-CCM and CHACHA
• Most handshake messages are encrypted
• Higher speed
• Faster session establishment
• Fewer round trips before pass data• Standard is 1 round trip time (RTT)
compared with 2 in TLS 1.2• Option for 0 RTT with the ability for the client
to send early data though with weaker security until the handshake completes
• Downgrade attack detection
• Allows client to detect if server did support 1.3 but used 1.2 because it was tricked into thinking the client doesn’t support 1.3
W H AT U S E R B E N E F I T S D O E S T L S 1 . 3 O F F E R
![Page 32: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/32.jpg)
33
• It prevents MITM devices from beingable to look at decrypted data
• More difficult but not impossible
• It will require new clients (browsers)
• Already implemented in browsers
• There is no possibility to do Passive decrypt for TLS 1.3
• Must be a bump in the wire
• SSLV does not support TLS 1.3
• We do already as you will see
• You cannot downgrade a session
• You can if you fully terminate TCP and TLS (i.e. full TLS proxy)
• It will be years before TLS 1.3 is implemented by major sites
• Once standard roll out will be fast for many large TLS sites on the Internet
• Google, Facebook, Cloudflare, CDNs all ready to roll
• Enterprise sites, particularly financial services are likely to take longer to adopt
M Y T H S A N D FA C T S A B O U T T L S 1 . 3
![Page 33: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/33.jpg)
34
4 5 D AY A C T I O N P L A N
![Page 34: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/34.jpg)
35
35
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
• Outbound: HR and Legal must be consulted to ensure user privacy is respected and preserved.
• Inbound: Obtaining keys/certificates, how will you keep them secure, how will you keep them updated
• Map your SSL footprint = Risk Exposure
• Decrypt once feed many v/s decryption in many places in network
• Performance impact of decryption on existing network/security devices
• Local regulations and compliance requirements
YO U R 4 5 D AY A C T I O N P L A N
![Page 35: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/35.jpg)
36
M A P Y O U R I N B O U N D S S L / T L S F O O T P R I N T
Where and how many SSL/TLS enabled entities? What are all systems involved in SSL/TLS through DMZ? (e.g. firewall, load balancer, WAF, etc.)
What are the security controls that need visibility in to encrypted traffic?
How will you track keys and certificates? How frequently are they renewed and rekeyed?
36
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
Who and how many are responsible for each key and certificate?
How will you get them? How will you transfer keys and certificates?
How will you update keys and certificates?
![Page 36: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/36.jpg)
37
M A P Y O U R O U T B O U N D S S L / T L S F O O T P R I N T
% of Total North-South Traffic is SSL/TLS encrypted
• SSL Versions seen on the networks• SSL Versions have known vulnerabilities.
• SSL: Bad; TLS: Good
• BP: Do not allow known bad protocols
• Certificate Status• Valid certificate v/s invalid certs
• Should not see any traffic with invalid certificate.
• BP: Do not allow “not-valid” cert traffic
SSL/TLS traffic that isn’t on port 443 Non-SSL traffic that is using port 443
• Protocol versions in-use
• Ciphers used• Strong v/s Weak cipher suites
• Logjam/Freak/Heartbleed
• BP: Do not allow connections with weak ciphers
• Top N• SSL Sites by Request
• Users of SSL/TLS Traffic
• North-South communication
37
T H R E A T S A R E H I D I N G I N E N C R Y P T E D T R A F F I C O N Y O U R N E T W O R K
![Page 37: THREATS ARE HIDING IN ENCRYPTED TRAFFIC ON YOUR … · SSL BLIND SPOTS: DATA EXFILTRATION EXPERIMENT Symantec DLP Network Prevent Details: • Base OS: MS Windows 2012 R2 • DLP](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa01739b285f91f1233078c/html5/thumbnails/37.jpg)
38
Manoj Sharma |Technical Director | Symantec Corp
Mark Sanders | Lead Security Architect | Venafi [email protected]
THANK YOU