Cybersecurity is meaningless without visibility into encryption

By Preston Hogue, Security Specialist, F5 Labs

Credit: ID 146817695 © Awargula |

A vast majority of organisations have no visibility into encrypted traffic, nor do they have protection against automated attackers. In Mary Meeker’s most recent Internet Trends report, the numbers show that in the first quarter of 2019, 87 per cent of global web traffic was encrypted, up from 53 per cent just three years ago.

This signals encryption is becoming the norm. In my opinion, in another five to ten years, the entire Internet will be encrypted.

But what does this mean for enterprise security leaders?

As cybercriminals continue to perfect strategies for penetrating target networks and lingering, unnoticed, to collect sensitive data for long periods of time, the exfiltration is essentially happening right under victims’ noses. Without visibility into the encrypted traffic, IT teams will have some serious blind spots in the security, and these blind spots could lead to financial losses, data breaches, and damage to the corporate reputation. F5 Labs threat research shows that 68% of malware uses encryption to hide when calling back to command and control. This is why it’s essential to regain visibility into that encrypted traffic and allow the malware-scanning and prevention devices to protect the apps and the network.

Security is about controlling risk, and control is only possible with visibility. Indeed, any organisational cybersecurity strategy that does not take enhanced visibility of encrypted traffic into account is bordering on pointless. Taking control of visibility in relation to inbound encrypted traffic is vital, but it is also just the first step in solving the problem.

The risks of encryption for organisations

Cybersecurity leaders are dealing in a new realm of encrypted threats. Gartner predicts there will come a time when more than half of network attacks targeting enterprises would use SSL encryption to do so. What does that mean? In a nutshell, it’s a gaping blind spot for organisational security.

This is because adoption of encryption on network traffic is increasing to shield data from cyberattack, but at the same time, cyber criminals are increasingly encrypting their malicious activities. IT teams now have the difficult task of ascertaining the difference between safe and malicious traffic.

From a technological perspective, the placement of devices in the inspection zone is of critical importance when building any encryption framework, and striking that crucial balance between strategic encryption and governance.

If you run an enterprise with multiple devices, you should consider the creation of a demilitarised zone, which is a portion of the enterprise network that sits behind a firewall, but segmented from the internal network. Within this, you can have an encryption zone, not just for security encryption, but for the ability to troubleshoot on the network.

Integrating inspection zones into any build

The core component of setting devices and cloud up for success in encryption security is to look at organisational principles, and keep confidentiality, integrity, availability, and privacy in mind at every step of the way.

Hardware isn’t dead, as some believe, and hardware that’s built correctly will be able to support the various audit controls and admin privileges to support non-repudiation. As for cloud, with its massive amount of compute, limitations will mostly be discovered if there is a lack of thought into the process of non-repudiation and a lack of thought into the control environment. As a result, there needs to be inspection zones to look for malicious content.

Read more: How to uncover the hidden threats in encrypted traffic

However, inspection zones are not the silver bullet they appear to be. Enterprise security leaders need to take a pragmatic approach to inspection zones, because if malicious content is discovered at this stage in the game, half the battle has already been lost, as you are down to your last line of organisational defence.

In this respect, it’s prudent to have multi-layers of inspection defence to be able to look and inspect the traffic before it reaches any critical point.

Winning the backdoor battle in the encryption era

Organisations can win the backdoor battle if they implement the necessary processes now. This typically involves doing SSL or TLS inspections and re-inspections in the correct, multi-layered zones. But the government has its role to play too, and needs to take measures to enforce measures in encryption in the same way they do today for lawful intercepts. The bigger challenge will be getting inspection zones and law enforcement when it comes to that level of governance, and this will be the secret sauce to winning the war.

One thing’s for sure – the battle will not be won by breaking the integrity of encryption. Otherwise, the entire system is moot.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags encrypted trafficAutomated attacks

More about EnterpriseF5GartnerRadware

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Preston Hogue

Latest Videos

More videos

Blog Posts