1 https://www.sandvine.com/downloads/general/global-internet-phenomena/2014/1h-2014-global- ... Sites. (HTTPS). Figure 1: 8 out of the Top 10 global websites use HTTPS (Source: Alexa) ... properties and hosting services making a switch to the HTTPS protocol. While .... Best Practices for Managing Encrypted Traffic.
Security Report
THE VISIBILITY VOID Attacks through HTTPS are a vulnerability for enterprises
The Visibility Void
The use of encryption protocols, Transport Layer Security (TLS) or Secure Sockets Layer (SSL), to protect web and email content is now entering its second decade. Research conducted by Canadian broadband management company Sandvine, found the number of Internet users encrypting their online communications has doubled in North America and quadrupled in Latin America and Europe over the past year alone.1 Thankfully, encryption is here to stay, but it is not without its risks. To identify hidden threats to the business, enterprises need complete visibility into encrypted traffic. However, to comply with local privacy regulations and their own acceptable use policies, enterprises must have the means to selectively decrypt this traffic. An encrypted traffic management strategy must consider various business needs, established corporate policies, and compliance mandates.
1
2
https://www.sandvine.com/downloads/general/global-internet-phenomena/2014/1h-2014-globalinternet-phenomena-report.pdf
The Visibility Void
The dawn of a digital dark age
TOP 10 MOST VISITED WEBSITES Growing Use of Encryption
As privacy concerns reach an all-time high, the industries where data represents a prized commodity – social media, mobile, and communications – have understandably responded by broadly adopting encryption. Personal privacy concerns have led to goliaths such as Google, Amazon and Facebook switching to an “always on HTTPS” model to protect data in transit (see Fig 1.). Every minute, at least 4,000,000 Google searches; 2,460,000 shares on Facebook; 48,000 Apple app downloads; and 23,300 hours of Skype conversations take place2 – all of which take place protected by SSL encryption. Google has recently announced that HTTPS sites are more positively weighted in Google search results.3 All this increased adoption of “transport encryption” takes place in an environment where use of encryption technology in general is becoming routine. For example, technology giant Apple recently announced its iOS 8 operating
Sites Not Encrypted
1 2 3 4 5 6 7 8 9 10
Google.com Facebook.com Youtube.com Yahoo.com Baidu.com Wikipedia.com Amazon.com Twitter.com Linkedin.com Qq.com
Encrypted Sites (HTTPS)
system will encrypt all data, by default, on its phones and tablets; the protected data includes photos, messages, contacts, reminders and call history. The
Figure 1: 8 out of the Top 10 global websites use HTTPS (Source: Alexa)
explosion of data created by an ever-connected world and growing concern about data privacy means much more opportunity for serious cyber threats and data loss.
2
DOMO, Data Never Sleeps 2.0
3
http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html
3
The Visibility Void
BY 2017 MORE THAN HALF THE ATTACKS ON NETWORKS WILL EMPLOY SOME FORM OF ENCRYPTED TRAFFIC TO BYPASS SECURITY.
But does encrypted mean safe? In a typical seven-day period, Blue Coat found that 69% of the top 50 websites visited by its customers use HTTPS by default. Only sites focusing on publishing daily news or entertainment (e.g. ESPN, BBC News, CNN, or Pandora), use the easily-monitored unencrypted HTTP protocol. Of the top 10 most visited customer sites globally, as ranked by Alexa, nearly all use encryption to deliver at least some content. In order to try and manage encrypted traffic, some companies block traffic to these sites, despite employee requests to browse those websites during working hours. While a benefit for privacy purposes, the blanket use of encryption means that many businesses are unable to govern the legitimate corporate information entering and leaving their networks, creating a growing blind spot for enterprises. This growing visibility void also creates opportunities for attackers to deliver malware directly to users, bypassing network security tools. The lack of visibility into SSL traffic represents a potential threat especially given the fact that benign and hostile uses of SSL are indistinguishable to many security devices. The tug of war between personal privacy and corporate security is unfortunately leaving the door open for novel malware attacks involving SSL over corporate networks. For corporations to secure customer data, they need visibility to make sure they can see the threats hiding in encrypted traffic. The hostile use of encryption is set to increase in the coming years. Gartner believes by 2017 more than half the attacks on networks will employ some form of encrypted traffic to bypass security.4 This in part will be due to large web properties and hosting services making a switch to the HTTPS protocol. While banks and shopping sites already protect data using such encryption, HTTPS is becoming the rule, rather than the exception.
4
4
Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, Jeremy D’Hoinne and Adam Hills, December 9, 2013
The Visibility Void
The good news: You can maintain privacy and still be secure
IN A TYPICAL 7 DAY PERIOD
The Global Intelligence Network Receives…
Of great concern is the low level of sophistication malware coders need to compromise a network using encryption. Why? Many enterprises are under
Weekly Planner
the illusion that what they can’t see can’t hurt them. Malware attacks, using
Sunday
encryption as a cloak, do not need to be complex because the malware operators believe that encryption prevents the enterprise from seeing what they are doing.
Monday
Tuesday
Over 40,000 requests to newly classified malicious hosts over HTTPS – a strong indication of new infections
Blue Coat’s Global Intelligence Network routinely observes encrypted traffic used for the delivery and command and control of malware, as well as other types of malevolent activity, such as phishing. Some of these attacks not only steal personal data from the infected machine, but leverage that machine’s position within the corporate network to pivot and steal sensitive enterprise information.
Wednesday
Thursday
Friday
Knowing that no one wants to stop encrypting traffic, enterprises need a way to stop threats that are being delivered through encrypted traffic. The good news
Over 100,000 requests to known malware servers over HTTPS – a strong indication of
exfiltration in progress
Saturday
is that maintaining the privacy of employee personal information and adhering to compliance regulations is possible, while still protecting the enterprise from unwanted intrusions and threats. A policy-based solution decrypts and inspects only targeted traffic, to enhance network security while complying with laws
Figure 2: In a typical seven-day period, Blue Coat Labs receives around 100,000 requests for information about sites using HTTPS protocol for command and control of malware.
and policies. Open and transparent security protocols, along with tight controls limiting the use of decrypted data (e.g., network security), can be combined with
Encrypted Traffic Management allows organizations to protect stakeholders
regional and tailored IT monitoring notices to employees to maintain compliance
by being smart about what is seen and what is not. Encryption isn’t the enemy
with privacy protocols.
– it protects your business, customers and employees. Encrypted Traffic
The true risk for an enterprise is to consider privacy and security as mutually exclusive. Privacy should not be a trade-off for security. Legitimate business justifications allow the enterprise to keep the network secure and IP protected
Management is essential to ensuring the safety of virtually anything worth protecting. Services such as email, banking and finance, cloud-based services, and industrial systems control some of the most important data in any company.
while maintaining integrity of personal data.
5
The Visibility Void
DECRYPTION AND PRIVACY CAN CO-EXIST.
However, the dangers associated with this protective wrapper around messaging, file-transfer technologies and cloud applications cannot be ignored. Significant data loss can occur as a result of malicious acts by hostile outsiders or disgruntled insiders, who can easily transmit sensitive information. Today a watchful team of security incident responders is required or the consequences can be serious.
Closing the curtains As already mentioned, malware hiding in encrypted traffic is typically unsophisticated, presenting an opportunity for businesses to easily find and block attacks once decrypted. Despite concerted effort from government and private enterprises against cyber criminals’ intent on exploitation, the onslaught is unforgiving. After authorities effectively shut down Zeus5, one of the most successful Trojan horse malware in a coordinated raid, criminals intent on data theft needed an alternative. Dyre, a widely distributed, password-stealing Trojan originating in the Ukraine, is trying to take over the power vacuum left behind when Zeus shut down. With a cyber equivalent of Whack-A-Mole taking place, Dyre quickly replaced Zeus using the same infection mechanisms, and achieving the same goals, with the help of encryption. All of Dyre’s command-and-control traffic is, by default, communicated back to an infrastructure over TLS/SSL. Without decryption the bot can enter an enterprise network undetected, luring targets into clicking links to malware contained in phishing emails. Once in, criminal organizations extract user information under the cover of encryption so they can sell it to the highest bidder.
5
6
http://en.wikipedia.org/wiki/Zeus_(Trojan_horse)
The Visibility Void
Encryption and Visibility As a result of recent massive data breaches and the regular use of encryption that can mask the criminal exfiltration of proprietary information, encrypted traffic needs to be properly managed. Encrypted Traffic Management is a mechanism to responsibly use encryption to protect data, whilst preventing actors with hostile intent from abusing these services. Decryption does not have to compromise privacy; rather it provides enterprises a way to effectively manage traffic. The risk of a security incident, which could ultimately lead to serious data loss, is not something that just happens to other companies. It is time to take charge of privacy instead of turning a blind eye to the growing volume of encrypted traffic. The visibility void created when the web turns its lights out on network traffic has serious implications for the enterprise, yet holds the key to data privacy. By approaching encrypted traffic with a clear policy-driven management approach, businesses can take to the frontline in cyber warfare.
Best Practices for Managing Encrypted Traffic Security demands must be balanced with privacy and compliance requirements. Because employee privacy policies and compliance regulations vary geographically, per organization and per industry, businesses need flexible, customizable and policy-driven decryption capabilities to meet their unique business needs. To preserve employee privacy while combating threats hiding in encrypted traffic IT security departments should: • Take inventory and plan for growth – Assess the volume of SSL encrypted network traffic in your organization (we typically see 35 percent – 45 percent of network traffic being encrypted), including the mix of traffic types (not just web/ HTTPS traffic), current volume and projected increase. • Evaluate the risk of un-inspected traffic – In addition to malware coming into the enterprise, examine what type of data is at risk from both a security (exfiltration) and privacy standpoint. Share insights across IT, security, HR and legal departments. • Create an action plan – Evaluate employee “acceptable use” policies, privacy requirements and compliance regulations and create formal policies to control and manage encrypted traffic based on traffic type, origination and other security and privacy vulnerabilities. • Apply granular policy control – Selectively identify, inspect, and decrypt webbased SSL traffic according to your established policies. Decrypted data can then be processed by the security tools you have already invested in on the network, such as network antivirus, advanced treat protections solutions, DLP and others. • Monitor, refine and enforce – Constantly monitor, refine and enforce the privacy and security policies for encrypted applications and traffic in and out of your network and make sure it is in synch with corporate policy and regulations.
7
Network + Security + Cloud
© 2016 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, MACH5, PacketWise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, “See Everything. Know Everything.”, “Security Empowers Business”, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. v.BC-THE-VISIBILITY-VOID-EN-v2b-0216
Blue Coat Systems Inc. www.bluecoat.com Corporate Headquarters Sunnyvale, CA +1.408.220.2200 EMEA Headquarters Hampshire, UK +44.1252.554600 APAC Headquarters Singapore +65.6826.7000
8
