Encryption has become an essential component of today’s digital businesses, especially as more customers, workers, and applications connect to corporate resources across the public internet. Not only is global consumer IP traffic growing at a 27% CAGR, the volume of internet traffic that is also being encrypted has been steadily rising for the past few years. According to FortiGuard Labs, the total percentage of encrypted web traffic is now around 85%, up from just 55% in Q3 of 2017. This traffic is a larger and larger slice of a steadily increasing pie.
Of course, encryption allows organizations to safely move sensitive and confidential information around without exposing financial data, PII, or IP to prying eyes. But since organizations don’t have visibility into most of that traffic, it may also be carrying unsanctioned applications and malware hidden in encrypted flows.
Cybercriminals are actively using this blind spot to get around security detection, knowing most people do not inspect it. They use encryption to obscure their presence and evade detection, whether delivering malware or exfiltrating stolen data, to bypass traditional security tools knowing most people do not inspect it—which is why most CIOs indicate they have experienced a network attack using SSL encryption.
Gartner also predicts that more than 70% of malware campaigns in 2020 will use some type of encryption to conceal malware specifically because encrypting attacks and malware makes security defenses less effective. For example, hackers use SSL encryption to hide an initial attack by encrypting their malware and sending it through an approved port. Many forms of malware also rely on encryption to hide command and control communications. And cybercriminals leverage encryption to protect stolen network information and user credentials, such as passwords, bank accounts, and other sensitive information, for the same reasons that businesses encrypt that same data.
Of course, inspecting encrypted traffic is the answer, but that’s easier said than done. The first problem is the time it takes to decrypt and re-encrypt data in order to inspect it. And time is something that most businesses are unwilling to spend. The demands of the digital marketplace require data to be immediately accessible, and technologies managing the time and overhead needed for accessing encrypted information needs to be improved if encryption is to be more readily applied. Unfortunately, few security tools can inspect encrypted traffic at the speeds that today's digital businesses require.
Generally speaking, examining encrypted traffic puts an enormous strain on a security device. Using ciphers to decrypt and inspect SSL/TLS traffic correctly is exceptionally CPU-intensive. As a result, nearly every firewall – especially those that rely on off-the-shelf processors for their computing power – sees its performance drop dramatically when it comes to inspecting encrypted traffic.
On average, according to NSS Labs, the performance hit for deep packet inspection after SSL decryption is 67%. In fact, performance numbers are so low that many firewall vendors refuse to publish them. Even more concerning, not all security products deployed to inspect encrypted traffic support the top 30 cipher suites or support TLS 1.3, which means that some traffic that appears to be being analyzed isn't being processed by some security devices at all. That's because the default setting on most firewalls is just to let uninspected encrypted traffic to simply pass through. Of course, given the percentage of encrypted traffic now in use, this renders most traditional security devices in today's high-performance networks nearly useless.
What's needed is a security solution designed to more efficiently handle this sort of traffic, given the need for performance and scalability in today’s marketplace. Of course, custom processors are not news. Companies like Google, Microsoft, Amazon, and Apple have all developed specialized chips for high-performance devices and environments. Sadly, it’s mostly security that is lagging behind. And this is a critical oversight that has enormous ramifications.
To highlight the difference that purpose-built processors can provide, Fortinet developed the Security Compute Rating benchmark that compares the performance of ASIC-based Next-Generation Firewall appliances to NGFW and SD-WAN solutions that utilize generic processors and network acceleration components for their networking and security functions. Custom processors explicitly designed to accelerate security and network functions such as inspecting encrypted traffic inspection demonstrate performance increases of between 15X and 40X.
In today’s increasingly dynamic and continuously expanding networks, security that can function hand-in-glove with core networking functionality, and perform crucial functions like inspecting encrypted traffic without compromising on performance is essential. The failure on the part of the majority of today’s largest security vendors to step up and fill this gap is nothing short of irresponsible. It’s time for security vendors to deliver the next generation of high-performance, highly scalable security solutions that today’s organizations require.
Learn more about how The FortiGate Next Generation Firewall delivers the industry’s highest SSL inspection to protect against attacks that hide in encrypted traffic.