What's the Best Visibility Answer to Modern Encryption?

    by Nubeva 28 April 2020

    Read Time: 4 minutes, 45 seconds

    TL;DR: Is your organization adopting the latest encryption standards? Some are dragging their feet because TLS 1.3 impacts your visibility into network traffic. Don't turn down your encryption standards. Instead, get session keys to see the packets you need to monitor.

     

    In a recent article published by HelpNetSecurity, CTO Martin Rudd posited that slow adoption of new encryption standards empowers the bad guys – hackers interested in infiltrating enterprise networks. 

    In the article, Rudd writes, “…companies need to ensure network monitor tools are set up to cope with the added encryption TLS 1.3 brings and how it may be used by attackers to gain an advantage. Typically, companies would use a MITM middlebox which would analyze requests made in TLS 1.2 and decide whether a request was genuine or not before issuing the relevant certificate. But this process is impossible with 1.3 as it encrypts the aspects that were used by the middlebox to judge requests. As such, businesses should look to strengthen endpoint security to help mitigate initial intruder access onto networks, while also ensuring that security teams receive up-to-date response training and access to real-time intelligence to identify and analyze attacks.”1

    Indeed, there are challenges with new encryption protocols – the primary one being enterprises who feel their only solution is to “turn down” TLS 1.3 to 1.2 (or older) levels of encryption in order to effectively monitor network traffic. 

    That’s not the only answer, and it’s not the best or most secure approach. Preserving complete, decrypted visibility AND the highest levels of encryption is the best way. That’s where Symmetric Key Infrastructure and symmetric decryption can help. 

    But first, let’s take a look at several unique challenges in a bit more depth.

    1. Nearly All Your Network Data-in-Motion Is Encrypted...And That’s a Good Thing! First, the vast majority of network data is encrypted. As containers and microservice-based architectures accelerate the decentralization of application workloads in the cloud, end-to-end transport-level encryption is the number one recommendation for keeping public cloud environments secure. Workloads communicate on TLS-encrypted networks to perform their tasks, deliver data and run mission critical applications for business. Each workload in the public cloud makes thousands of TLS-secured connections each day.
    2. Modern Compute Environments Are Elastic And Ephemeral.In addition, modern compute environments are decentralized, dynamic and elastic. Public and private clouds still require that enterprises monitor network traffic and applications both inside and across VNETs and VPCs for both security, compliance, application performance and diagnostics reasons. Kubernetes clusters and elastic containerized environments have unique networking internals that are off limits to network packet security, detection and inspection services. The short-lived nature of auto-scaling modern compute environments means that a system might pop up one minute and spin down the next. If that system was compromised, the ability to detect, hunt, trace or perform forensics is severely limited if you lack the ability to acquire, decrypt and inspect its traffic while it is alive.
    3. PFS, ECDHE Ciphers, Pinned Certificates and TLS 1.3 Are Designed To Prevent Legacy Decryption.Lastly, new TLS 1.3 encryption protocols means the process you once used to decrypt is fundamentally different and forever changed. With PFS, certificate pinning, TLS 1.3, and ECDHE ciphers, RSA key exchange and certificate-based, session replay is not possible. This makes legacy, passive decryption impossible. Under TLS 1.3, all post-handshake packets are also encrypted rendering processes like legacy style identification of self-signed certificates unusable.

    The Visibility Answer: Symmetric Key Infrastructure

    In a breakthrough approach to network visibility and security, Nubeva created a process called Symmetric Key Intercept. This solution enables enterprises to adopt the latest TLS encryption protocols and restores the performance of security infrastructure to peak levels by offloading the most expensive and compute-intensive decryption processes. 

    Symmetric Key Intercept (SKI) bypasses the TLS handshake and certificate-based replay requirements of older systems. The process uses machine-learning to discover and retrieve the final, ephemeral session secrets (the final, symmetric encryption keys present only on the TLS client and the TLS server). Once identified using Symmetric Key Intercept, Nubeva’s solution can be used to either preserve and extend the ephemerality of the final keys or deliver them directly to tools and decryptors that security analysts already have in place. 

    Because this process is based on the symmetric keys and symmetric decryption, the process-intensive and performance-crushing asymmetric decryption processes like MITM, certificate / session replay and proxy-based termination are avoided. This preserves the original end-to-end encryption while eliminating the need to mess with packet traffic to turn-down encryption levels or pretend to be a host / server with a MITM approach.

    In "Guide to Network Defense and Countermeasures," the authors write: "Asymmetric encryption and decryption are about 10,000 times slower than symmetric encryption."2 Simply translated, this means Nubeva’s Symmetric Key Intercept approach is much faster and more efficient than traditional asymmetric operations.

    Nubeva creates new visibility for modern compute environments where legacy systems are unable to see or even access.

    This includes cloud environments like public cloud providers and private clouds that run on infrastructure not owned by the enterprise. As a result, legacy systems are unable to access and decrypt network traffic at the infrastructure level. Nubeva delivers packet traffic access for the cloud with software, container, Kubernetes DaemonSet, and service-based read-only sensors. These sensors acquire, filter, slice and mirror traffic. These same sensors provide Symmetric Key Intercept capacity allowing firms to gain full decrypted visibility to cloud traffic that is unavailable to infrastructure taps and legacy packet brokers.

    What’s more, Nubveva works in Kubernetes environments that have unique networking capabilities for container-to-container and pod-to-pod traffic. The dynamic and ephemeral environments inside and in between Kubernetes clusters were traditionally off-limits for cybersecurity inspection, detection and monitoring. But Nubeva creates all new visibility inside Kubernetes environments with DaemonSet-based packet acquisition, filtering, mirroring and decryption capabilities. 

    With Nubeva, there is no need to choose between strong encryption everywhere and the essential traffic visibility needed for deep security inspection and DevOps troubleshooting. This easy-to-orchestrate solution helps security pros stave off bad actors and obtain total visibility of network traffic.

     

    1. “TLS 1.3: Slow adoption of stronger web encryption is empowering the bad guys,” by Martin Rudd, HelpNetSecurity.com, April 6, 2020.

    2. "Guide to Network Defense and Countermeasures," by Randy Weaver, Dawn Weaver, and Dean Farwood, pg. 163

    Tags: visibility decryption TLS SSL encryption symmetric key intercept
    resources banner desktop

    Want to learn more?

    Request a Demo
    resource banner screen

    Sign Up for FREE Trial

    Sign Up

    Subscribe Here!

    View video encryption requires visibility