Only the most hardcore curmudgeon hasn’t made a sensitive data transaction via the Internet. Did you file your taxes electronically? Ever buy a plane ticket? What about ordering up a car from Uber? We send tons of private information to and from multiple web and app services via unsecure networks every day. The good news is your sensitive data—password, credit card, health and financial details—are encrypted in transit courtesy of transport layer security or TLS. This keeps prying eyes at bay. The bad news is, unscrupulous attackers have a direct conduit to your PC with a stealthy way to plant malware right on the endpoint. For the most part, organizations are not equipped to “look inside” TLS to identify and stop malware. The endpoint is often the last and only line of defense against malware infiltration, which is why effective endpoint controls are so important.
The progenitor of TLS was SSL, developed in 1994 by Netscape as a protocol to promote data privacy. Though encrypted communications are commonly referred to as “SSL,” today it’s mostly TLS at work under the hood. These technologies, which employ a combination of asymmetric and symmetric keying coupled with various hashing techniques, are a major cornerstone of the Internet economy because they enable secure commerce.
I like to think of encrypted communications as a garden hose from me to a service. Let’s say I’m paying for an Amazon purchase and I’ve just submitted my credit card info. As the data flows through intermediate hops between Amazon and me, network operators can observe the hose but they don’t know exactly what’s traveling through it. What’s inside is anyone’s guess because conventional network monitoring is blind to the encrypted contents. SSL’s use is growing dramatically as the default protocol for plain old web surfing and apps. Though Internet-wide hard numbers are difficult to obtain, anecdotally it accounts for about 65 percent of traffic in large environments.
Attackers have found ways to crack keys and play man-in-the-middle for the purpose of stealing your data. For defenders, tech evolution is necessary to stem the effects of these subversive tactics. Therefore SSL/TLS has evolved to become stronger and less susceptible to exploitation through seven versions.
Another notable trend is use of longer crypto keys to making cracking more difficult. The major search engines have already moved to computationally intensive 2048-bit and 4096-bit ciphers. The evolution of TLS lends itself to higher trust levels. The hose has thicker armor.
But what’s inside that armor is the thing that can put your data at risk. TLS keeps communications private while potentially delivering malware directly to your endpoint. Yin and yang.
Previously I mentioned conventional network monitoring. What about SSL decrypt technologies? Why not simply split apart the flows, look inside for nasty bits then send them on their way? This is a great idea but it’s fraught with two main non-starters: 1) problems with scalability and 2) the fact that signatures are dead.
Firstly, SSL/TLS decrypt requires dedicated equipment to perform at scale. For example, one familiar name in next-gen firewalls can absolutely do SSL decrypt right out of the box. However, if you look at the fine print, when doing SSL decrypt on their $80,000 firewall, performance drops from 10 gigabits per second (Gbps) to around 1 Gbps (10 percent of max—an anemic number) and that is with 1024-bit SSL ciphers. As SSL graduates to harder-to-crack 2048-bit and higher, these boxes won’t keep up, especially as SSL grows as a percentage of your overall traffic. Maybe SSL is 50 percent today, but it’ll be 65 percent next year and 75 percent the year after. Other approaches to peeking inside of SSL can include hardware optimized proxies and load balancers, but this all gets expensive very quickly, especially since it will only identify some previously known malware or exploits inside of SSL.
Secondly, according to the 2015 Verizon DBIR report, 70 to 90 percent of malware samples are unique to a single organization. This means using signature-based and reputation-based sources to identify malware is highly ineffective. Therefore cracking open SSL is an exercise in futility because what you’re looking for is probably not on your signature list.
At Cylance, we believe that there is a better way. By letting your endpoints be your distributed analysis and auto-quarantine platform we can identify nastyware right at the endpoint right where the decryption is meant to happen. Our math-based approach identifies both known and unknown malware, including the Trojan that was just created a moment ago. Your office users will thank you because you don’t break their SSL apps. Your mobile users enjoy protection even if they aren’t in the office behind your now more simplified security stack. The CFO will shout with joy at reduced costs. The CIO and CISO will love the reduced risk.
Grant Moerschel is a solutions engineer with Cylance.