Deploy Symmetric Key Intercept: A New Approach to Visibility for Endpoints.
TL;DR: In March 2020, we announced a new solution to enhance proxy-based decryption. Nubeva now enables enterprises to decrypt endpoint traffic to the internet, including traffic that relies on pinned certificates. Nubeva’s approach employs symmetric decryption allowing teams to deploy out-of-band decryption - an approach that has been reportedly impossible. See deeper and wider while freeing up your proxy systems to their jobs with higher performance at fraction of the price being consumed today.
Time to read: 4 Minutes 30 SecondsThere are many methods to inspect traffic in and out and within the datacenter. Inspecting and monitoring traffic from endpoints to the internet is more troublesome. The primary method is to use proxy systems - most often with secure web gateways and/or cloud access security brokers (CASBs). In these systems, client / endpoint traffic is networked - either directly or via tunnels - to a system that is in the middle of your connection to the internet to perform core functions such as URL filtering etc, with added features such as clear text mirroring and decryption turned on for inspection and detection purposes - at a hefty cost and severe performance hit.
This method is commonplace - with organizations turning on decryption at these points for good reason -- 60% of this traffic is encrypted and hides malicious activity, making decryption a priority.
Proxy-based decryption has some gaps to overcome:
- Modern TLS Protocols: Today, with all traffic encrypted using advanced TLS (SSL’s modern and more secure evolved form), the ability to crack open traffic for inspection is no doubt a blind spot in the organization.
- Pinned Certificates: Modern SaaS applications make increasing use of pinned certificates, which creates end-to-end encryption between the client and the subscription server. That server, whether it’s Dropbox or Google Suite or Office365 or an API call to a third-party service is not in the control of the enterprise. As such, teams have no opportunity to install agents or create network choke points on third party systems creating blind spots and breaking the zero-trust model that is increasingly popular.
- Proxy Solutions Overload: With proxy-based decryption, the tool must participate in the handshake in order to gain access to the information required to discover encryption keys. Once keys are captured, they can be used to decrypt or be sent to tools for inspection. The process has scaling issues, sequencing errors and places a heavy burden on compute load and tool performance. With the volume and speed of traffic over short sessions, these systems become overloaded. Even with this approach, direct client-to-third-party connections remain a blind spot because of certificate pinning.
- High Cost and Significant Performance Hits: Because modern computer architectures are distributed, virtual and elastic, these systems efficiency is impacted. If decryption is even possible, proxy-based decryption comes with a hefty price tag. The compute efficiency in the handshake alone can cost 10X to 100X more than traditional bulk decryption - adding on key regeneration and re-encrypt, the cost escalates quickly. Inline proxies, firewalls and packet brokers experience (NSS Labs measured an average performance decline of 92% across all tested Next Generation Firewalls [i.e. inline decryption]),
Nubeva has introduced a modern endpoint decryption solution.
Our next-gen approach handles decryption for endpoints, including support for pinned certificates and new protocols, such as DNS over HTTPS, eliminates client blind spots. This allows organizations to offload decryption from proxy-based systems to allow full visibility with improved speed, performance and reduced cost.
This solution decouples symmetric key discovery from the act of decryption. With the ability to discover symmetric encryption keys without participating in the TLS handshake, Nubeva creates a massive decryption performance boost and unlocks the out-of-band decryption capability previously unavailable with the introduction of perfect forward secrecy-based decryption as well as legacy.
By removing the performance-inhibiting “decryption tax” that inline proxies, firewalls and packet brokers experience - and allowing downstream, parallel decryption - Nubeva creates new opportunities for uninhibited visibility and security. This includes:
- Eliminating blind spots
- Supporting Chrome and Chromium-based browsers like the new Edge browser from Microsoft
- Supporting native OS for Windows, Linux, MacOS and Android
Security and DevOps teams can offload network decryption from proxies and CASBs. Network architects can configure these tools to focus on high-performance URL and destination filtering; which is what they were designed for in the first place.
Network traffic mirroring and packet collection can still take place at these natural network hubs. But the packets can remain fully and originally encrypted. Nubeva’s Symmetric Key Intercept method will discover the keys for each session and wait for the call should a session need to be inspected - whether because of an alert, regulatory spot-check or continuous monitoring. Nubeva’s out-of-band decryptor can marry the symmetric key with the mirrored or stored packet stream / session traffic. Packets are then securely delivered the the inspection, detection and threat hunting tools, teams and processes.
In the end, users are happier because performance is unencumbered. Security professionals breathe easier because now they have full visibility to all, not just some, of the packet traffic they require (including pinned certificates) with significant reduction in lost packets and sequencing errors. And lastly, network and application engineers gain confidence knowing their networks and applications are able to run at peak performance without clunky decryption bottlenecks getting in the way.