READ TIME: 2 minutes, 4 seconds
tl;dr: Nubeva created the industry’s first cloud-native, universal TLS decryption solution for real-time, historical or on-demand decryption. The breakthrough technology, Nubeva Prisms TLS Decrypt, handles all TLS encryption ciphers including TLS 1.3 with Perfect Forward Secrecy (PFS) and Elliptic-curve Diffie-Hellman (ECDH) support.
Today, more than 70% of all network traffic is encrypted. Organizations with mission-critical resources in the public cloud need to inspect this encrypted network traffic, which means users must find a way to decrypt their packets. If they can’t see it, security teams can’t detect threats, respond to incidents and they can’t troubleshoot performance issues..
As SecOps professionals search for workarounds to get more visibility of encrypted cloud data, solutions come up short. In many cases, users want and need to inspect all traffic. And, they can’t afford to create complex man-in-the-middle inline solutions that lead to managing multiple firewalls and load balancers – and costing a fortune!
Nubeva Prisms TLS Decrypt solves the encryption conundrum that exists in today’s public cloud. Nubeva’s breakthrough TLS Decryption solution was born in the cloud and purpose-built for the cloud era. It is architected for and runs as a native cloud solution. Users can set it up start running it in minutes. Here are the three components of Nubeva Prisms TLS Decrypt:
- Key Extraction. Nubeva Prisms TLS Key Discovery agent uses advanced, AI-based rules for TLS key extraction. It runs on any TLS client or TLS server and can discover and extract keys at from either side of the TLS 1.3 handshake. With negligible (<0.1) CPU impacts and read-only permissions, the Nubeva Prisms agent is able to discover and extract the ephemeral symmetric connection keys. It does this by extracting keys from core memory. The Nubeva Prisms agent identifies and triggers on Client “Hello” for TLS Handshake. It then analyzes mem-changes with AI-based heuristics to discover keys. The key discovery heuristic is loaded from the Nubeva backend which makes it updatable and not library dependent. This also means that it is able to discover the symmetric keys for all session types and all protocols. This makes it extremely extensible to other applications. Finally, the Nubeva Prisms agent is able to perform key identification and extraction for most cloud workloads including containers, microservices running in containers and VMs; all without requiring configuration settings or workload restarts.
- Key Storage. Extracted keys are then sent to your own key database called the KeyDB. The cloud-based symmetric key database keeps all your keys available for all your tools to perform decentralized and scalable decryption when and where needed; in real-time, in parallel with separate tools, or even historical replays of saved pcaps. The KeyDB is the customer’s database, not Nubeva’s database. Access is fully controlled by the client’s policies and resides in the client’s cloud subscription.
Architecturally speaking, the presence of a secure symmetric key database enables highly scalable, low-cost strategies. Because the KeyDB is separate from the Key agent or decryptor, it enables both decrypt now and decrypt later strategies. It allows for any decryptors. It enables massive, parallel decryption as well. When coupled with encrypted stream replication, it allows for simultaneous inspection, monitoring, and troubleshooting at each of the separate tool destinations.
- Decryption. Decryption of mirrored traffic happens on the tool workload in the Nubeva Receiver agent. The Nubeva Receiver agent runs either on the native OS or as a container on the tool workload. The Nubeva Receiver agent synchronizes incoming encrypted packet traffic - whether from real-time taps and mirrors or from stored sessions and pcaps - with the keys that were previously extracted and stored in the KeyDB. The Receiver agent handles all the decryption with blisteringly fast speed and almost no impact on CPU and memory of the tool workload. The encrypted TLS packets are preserved so that header information can still be inspected if that is what your tool or processes require.
There is no MITM set up and no TLS intercept-decrypt-re-encrypt-and-send-on process. This preserves original end-to-end encryption without introducing the additional vulnerabilities - associated with HTTPS interception and MITM TLS proxies - from downgrading encryption or poor certificate verification. This architecture also reduces cost and performance impacts typically seen in in-line MITM setups.
Nubeva’s TLS decryption service is comprehensive, easy to set up and manage, and it’s affordable – enabling IT teams to unlock and monitor all of their public cloud traffic. It helps security operations teams by serving up the packet payloads they need to do threat monitoring and detection. It also supports those in devops who build programs, use encrypted services and need to debug, troubleshoot and operate in complex environments.
And, if an IT organization doesn’t have a way to move its packets from cloud workloads to their monitoring tools, Nubeva Prisms serves as a cloud packet broker. Its Elastic Packet Processor is as a low-cost, high-performance, scalable engine that aggregates, replicates, filters and slices cloud packets and sends them to the designated tools.
As TLS 1.3 encryption continues to protect assets in the cloud, Nubeva’s cloud-native innovation allows enterprise IT teams to get the visibility they need to do their jobs more effectively. To learn more about Nubeva Prisms TLS Decrypt solution, visit https://www.nubeva.com/products#decryption