Decrypting SSL (Secure Sockets Layer) traffic - is probably the topic I have written most about over the past 18 months, and i'm not the only one. This is a popular topic for the majority of Cyber Security Vendors too.
The exact numbers are not important, as the pattern is clear to see - three years ago there was very little conversation around decrypting SSL traffic, two years ago 70% of traffic was encrypted, a year ago it was at 85%, and now the statistics suggest that 95% of traffic is encrypted, and this doesn't look to be changing any time soon - actually it's getting more difficult, but more on that later...
Based on the last 20 or so conversations I have had with organisations who's perimeter security is not managed by Charterhouse, whether it be on-prem or in the cloud, I would estimate that around 50%, still don’t utilise any sort of SSL Decryption. Knowing the importance of this, I always ask why, and the answers continue to be the same:
- Our MSP haven't presented this option to us
- We are unable to, due to legal reasons
- Our current technology doesn't allow this
- We've never heard of it
- We've tried it, but it caused too many issues
Whilst I mean no offence by this next statement - none of the above are reasons to not implement a strategic SSL Decryption Policy.
Before I explain why the above reasons aren't valid, let me first outline the importance of such a policy...
Although many believe that encrypted traffic is more secure - and yes, it is true that this depends on the algorithms used - it is easy for attackers to hide malware (as an example) within encrypted traffic, and if your organisation doesn't decrypt it, you are likely to miss it.
I have never, and doubt I ever will, come across a Cyber Security policy that says "only thoroughly inspect 5% of traffic", yet that is exactly what organisations are doing. Let's think about this - if you have you 1GB pipe to the internet, or your cloud SASE (Secure Access Service Edge) solution, and 95% of that traffic cannot be thoroughly checked for threats, this is a big hole in your security.
Now let me explain why the above reasons for not implementing a strategic SSL Decryption Policy aren't valid:
- MSP – It’s definitely time to challenge them, because this would never be a valid excuse if you needed to answer awkward questions on the back of a breach. Working with an MSP/MSSP should be a partnership, with them taking a keen interest in your security.
- Legal – This is certainly an excuse, not a reason. It is very easy to avoid decrypting sensitive information - such as bank details and personal information (DOB and National Insurance Number) - whilst still decrypting necessary information.
- Technology – It’s time to look for budget! If your current technology doesn't allow for this, it is highly likely you are running technology that is far too old, and isn’t fit for the threats of today and tomorrow.
- Never heard of it – It’s time to find a Cyber Security partner to help with your strategy, to help you remove these gaps in your posture.
- We tried – This is a common reason, especially when an organisation is using older technology or working with certain vendors. However, all of the leading vendors (Gartner MQ) now offer granular control on SSL decryption to help you meet your specific requirements, rather than just on or off.
I briefly mentioned above, how it is becoming a little more difficult. However, this isn’t a process issue, it's due to new security measures in the decrypted traffic in TLSv1.3. TLSv1.3 is the latest version of the TLS protocol, which provides application security and performance improvements. Your technology needs to be able to decrypt this new traffic, but unfortunately not all vendors have yet caught up. As more traffic starts to use TLSv1.3, you will be able to go back to the start of this blog, and my points will remain exactly the same.
The key message here is: decrypt your traffic - whether you have a traditional perimeter model or a SASE model - plan it, test it, deliver it, and you will significantly reduce your risk of an attack.
To find out how Charterhouse can help your organisation, please do get in touch...