Industry Trends

You Can’t Protect What You Can’t See

By Phil Quade | March 26, 2018

How many of us would hire a home security company that sent a representative to our house to tell us to remove all our lightbulbs so that it was pitch black inside? Sure, it would make it much more difficult for the burglars to find their way around. But with no way to turn the lights on, it would also be almost impossible to find the intruders—or determine whether there had been a break-in at all.

As absurd as that may sound, it is essentially the position many organizations may find themselves in if they have followed an approach to data security that is more tactical than strategic.

In data protection, encryption hides valuable information from unauthorized eyes by encoding data so that only authorized parties can see and access it. It is an incredibly powerful “must-have” of cybersecurity—one that all of us benefit from every time we send or receive sensitive digital information. Though often difficult to implement well, especially at scale, strong encryption is as close to a silver bullet as we have in data protection.

But in the race to protect networks in an increasingly threat-heavy environment, encryption’s inarguable role often leads to its deployment in ways that remove the lightbulbs of network owners. Without the ability to perform what is often known as “SSL inspection” or “break and inspect,” organizations can’t examine much of the data moving in or out of their networks. Without visibility, those responsible for safeguarding the sanctity of an organization’s data are flying blind.

There is no denying that encryption impedes external threat actors. But what if the breach of data is internal? Consider the risks of a disgruntled or former employee stealing and selling intellectual property to competitors, leaking compromising financial information or otherwise disclosing sensitive company data with the intent of harming the organization or its people.

In these instances, which are not at all uncommon, the company’s encryption actually fails to protect the company by making it much more difficult to detect evidence of data being stolen and to assess what part of the organization or network has been compromised.

When it is an external attack, it is even worse. National security organizations, among the best in the world, are constantly looking for “unknown unknowns” – indicators that they have been compromised even though there is no evidence. They vigilantly comb through networks for evidence of covert command and control and stealthy exfiltrations, analyzing communications for evidence and suspicious patterns. But even they rely on SSL decryption to ensure that their own network encryption is not used against them.

There is a common counterargument that detractors of break and inspect sometimes make; they contend that what people do on company networks should not be accessible by anyone.  They say that skilled cybersecurity professionals can effectively ascertain such things through traffic analysis alone—without ever even viewing the actual content. 

For example, if they detect a node that receives but never transmits information, there is a strong chance that they have uncovered a bot accepting the commands of a distant commander. Conversely, if they find a node that always sends information but never receives it, then they should suspect it to be a command and control node or exfiltration site. 

Even with a strong understanding of the intricacies of a network’s structure, though, a good IT team has to leverage the ability to break and inspect to access any irregular or suspicious activity. If bots and C2 nodes are able to use the network’s own encryption to hide, the task of protection becomes infinitely more difficult. The argument that traffic analysis is sufficient to detect stolen IP or PII, is, at best, a red herring that throws an important conversation off course and only makes users more susceptible to far worse privacy invasions by threat actors.

Today—with hybrid networks that use multi-cloud deployment, intense levels of mobile access and IoT—applying encryption smartly, based on clear understanding of network risks, is a greater imperative than ever before.

Implementing strong encryption combined with SSL inspection capabilities provides a secure, accountable and efficient means to protect information from authorized access while enabling network owners to pinpoint and investigate suspicious activity. It enables the protection of everyone’s data on the network. 

Unfortunately, because only a few vendors have the equipment to execute SSL inspection fast enough to keep up with the demands of network traffic, too many operators are using no encryption at all. They realize that the visibility of what’s leaving and entering the network is of supreme importance, so they forgo the extremely necessary protection afforded by encryption. As tools and technologies that enable secure and fast SSL decryption become increasingly effective and precise, it is a compromise they don’t need to make. They can have the security and privacy of robustly deployed encryption, while also having the ability to remove that cover from cybercriminals and inspect suspicious activity. As attacks get more sophisticated by the day, it is critical to have both.

Visibility is a fundamental cybersecurity strategy to protect network assets and information. Even if your organization has taken great care to implement critical foundational cybersecurity elements like access control, segmentation and appropriate levels of cryptography, it will not change a simple, common-sense truth. You can’t protect what you can’t see.

This byline originally appeared in CSO.

Join the Discussion