Schedule Demo

Threats Hiding in TLS Encrypted Traffic is On the Rise

July 21, 2021

The Mission Critical Need To Answer for TLS 1.3 Monitoring Gaps

Cybersecurity systems must be able to apply deep packet inspection services to modern TLS 1.3. This blog addresses the growing gaps solution providers face and how Nubeva helps fill those decryption gaps - quickly. 

A recent article by CSO magazine reported that 46% of malware communicating with a remote system over the Internet uses TLS encryption to conceal communications and evade detection. According to Sophos telemetry analysis, this is a 100% increase in TLS-based malware communications compared to 23% in 2020. 

With the rise in TLS adoption, it is not surprising that cybercriminals would find a way to use TLS encryption to their advantage to avoid detection. And vital security inspection systems entrusted to detect these threats are struggling to find a complete answer to support their users forging forward with TLS adoption.

Organizations should be able to examine all traffic between any application or service. Traffic could be inbound and outbound, north-south (across the organization’s perimeter), east-west (within the organization’s boundary). Application or services could be running on bare-metal, in virtual machines, containerized, deployed in Kubernetes clusters, service mesh architectures, on any device: mobile, desktop, laptop, tablet, or server hardware. Applications and services could be running in private enterprise networks, private or public clouds. The traditional network perimeter is gone, every user device is on the edge, every application, service, framework, or operating system vulnerability is easier to exploit. The attack surface is expanding, the number of threats is growing, and so is the number of attacks.

Some products focus on enhancing inspection capabilities that do not rely on traffic decryption. Examples of such methods include:

  • Header analysis (NetFlow, IPFIX, or sFlow records).
  • Analyzing traffic characteristics such as packet length, timing, connection duration.
  • Modeling user and entity behavioral analysis (UEBA), establishing normal baselines, and flagging/blocking deviations.  
  • Blacklisting domains and blocking connections using suspicious server certificates
  • Log analysis does not necessarily include packet content.

Vendors are continuing to invest in applying machine learning techniques to improve detection accuracy, reducing the number of false positives, and more importantly, the number of false negatives. However, this is a losing battle without deep packet/payload inspection, as more sophisticated embedded threats elude detection by any heuristic method. When organizations don’t have the capabilities to inspect TLS1.3 traffic, they leave the door open for infiltration by malware. 

Full packet inspection is truly vital, so much so that some organizations are sacrificing security for visibility, there are even working groups lobbying to weaken TLS 1.3 in order to enable traditional decryption so that teams and tools can inspect traffic. Seems crazy given the rise in cyber threat. 

There is no alternative to be able to monitor network traffic payloads; “to see” API calls and responses, as well as actual data and files transmitted between as many elements and connections as possible. Such visibility is essential so that protection, detection, analysis, and reporting tools and services can spot issues from both legitimate and malicious sources and code. Ideally, every organization should employ network monitoring, whether full-time, real-time, and everywhere to on-demand, historical, or spot capability in support of software and security operations. 


Implications of Modern TLS for Legacy Decryption Systems

Unfortunately, the three primary decryption techniques have growing issues. These limitations include what traffic can be inspected, throughput degradation, increased latency, and configuration and management overhead  - with these functionality gaps, there is growing sales/engineering friction for sellers as limitations continue to grow. These techniques include: 

  • Forward-proxy technique for inspection of outbound traffic used in secure web gateways, SASE, NGFW, IPS and APTs, decryption platforms, and any other device that supports deep packet inspection on traffic outbound to the internet or foreign servers and services.
  • Reverse proxy or session termination for inline inspection of inbound traffic is often employed in NGFW, IPS and APTs, Load Balancers, decryption platforms, and other systems that inspect inbound and lateral traffic. 
  • Passive intercept, also known as out-of-band inspection often utilized by IDS, APM, and HIDS.

Download Nubeva’s Comprehensive Guide to Modern Network Decryption to dive into the technological limitations of these techniques.

The Reality for Solution Providers: 

For manufacturers of security and inspection systems or dedicated TLS decryption solutions, the reality is that inline is the only “option,” but performance and scaling challenges lead to customer complexities in implementation and operations. The consequences facing providers go beyond the functionality and value of the technology. It leads to a high total cost of product ownership (TCO), higher cost of sales as functionality and performance take hits, and reduction in the overall total addressable market.

The industry needs a new solution to respond to these changes and complexities, not retrofitting outdated practices because that’s how things are done. Spending more money, more resources, and potentially delaying TLS adoption or reducing (even eliminating) DPI practices isn’t the answer. Performing deep packet inspection must be viable moving forward. 

Nubeva Session Key Intercept: A Modular Solution to Solve Decryption Gaps Where and When it’s Needed 

SKI (Session Key Intercept) is a new method for a new era. At the heart of the problem is the fact that current inspection techniques must be able to participate in or replay TLS sessions. SKI removes this crippling dependency,  elevates and equalizes the decryption capabilities of all security components, inline or out of band. Our software solution enables existing products to apply payload inspection to all traffic, including decryption of TLS 1.3, supercharge performance, is quickly implemented, and operates as a universal option.  SKI enables systems to have the best of all worlds - top security capabilities, high-speed performance, and the ability to decrypt all traffic for a complete inspection. 


Nubeva's primary business is to enable system manufacturers to provide better, faster, and easier deep packet inspection systems by providing an answer to TLS 1.3 and beyond. Our OEM solution is being adopted by: 

  1. Leading providers with growing product gaps
  2. “Up and comers” working to differentiate their product in the marketplace by adding our decryption capabilities.  

Nubeva SKI reduces significant product development efforts, complicated (or impossible in many cases) engineering requirements for customers, and empowering sales by offering a solution rather than a bandaid.


Learn more about Nubeva’s Session Key Intercept by downloading the “Case for Nubeva SKI in a TLS 1.3 World and Beyond” and let’s chat about how we can solve your product gaps. 


Share this post

Subscribe to our newsletter