Effective encryption has long been critical for protecting sensitive enterprise data, but as hackers increasingly leverage encrypted channels to access and traverse enterprise networks, secure traffic decryption is also key to assessing potential threats.
Mike Campfield, vice president of global security programs at ExtraHop, spoke with eSecurity Planet about the importance of a comprehensive decryption and monitoring strategy to ensure enterprise security.
The job of security operations, Campfield said, inevitably involves sifting through a significant amount of noise, and encryption can make it extremely challenging to determine what actually poses a threat. While the vast majority of anomalous activity in an enterprise won’t turn out to be malicious, it’s critical to be able to access that activity to assess it.
Attackers are increasingly finding ways to use a victim’s systems against itself, and an enterprise’s own encryption can provide the perfect cover for an attack. “By poking around in a company’s infrastructure and using encrypted channels to first do recon, then secondly start prepping and staging my attack, and then finally exfiltrating or dropping ransomware, I can hide inside of the organization’s own encrypted traffic,” Campfield said.
Managing Encryption and Decryption at Scale
Still, there’s a lot that enterprises can do in response, largely thanks to significant improvements in encryption technology. “In the old days, you had to have private keys for each piece of the infrastructure, hundreds or thousands of encryption keys – and it was honestly not manageable to do that – so organizations decided not to encrypt things,” Campfield said.
Today, TLS 1.3 makes it easier both to manage encryption at scale and to decrypt as needed. “Because it’s easier to manage the key escrowing and the whole key lifecycle, this allows an organization to be more protective, because they’re more comfortable in encrypting more of their infrastructure,” Campfield said.
Effective visibility and monitoring inherently requires decrypting as well as encrypting. “Ensure that you can not only encrypt both in transit and at rest, but also decrypt and be able to see the anomalies and actions that are happening inside of your network, so you can prevent a massive breach or a crippling ransomware campaign,” Campfield said.
Too many companies are only focusing on half the battle, ensuring pervasive encryption but falling short on decryption and monitoring. Even a tool like JA3, Campfield said, will only get you so far before you need to decrypt in order to assess a possible threat – and at that point, if you have to call the database administrator and ask them to look in their logs to examine each event, that’s all but impossible to do on a regular basis.
A System for Decryption and Analysis
So having an efficient system in place is key. “Having the right people, the people with the right credentials and the right access controls, look at the right information – because not all information should be decrypted – is really important in having a quick triage and a quick understanding of what’s in your network,” Campfield said.
Too many companies, instead, just ignore the majority of alerts. “One of the not-secret dirty secrets of security operations is the amount of incidents or alerts that just don’t get investigated, either because traffic is encrypted, or because there’s just too much effort needed in order to get at it,” he said. “It’s like giving up on a fly ball in the outfield because you know you’ll never catch it.”
It’s a real and widespread problem – a recent Trend Micro survey of 2,303 IT security and SOC decision makers found that 51 percent of respondents said their team is overwhelmed by the volume of alerts, and 55 percent aren’t confident in their ability to prioritize and respond to them.
Fully 43 percent admitted to having dealt with the problem by simply turning off alerts.
In the long run, Campfield said, what companies really need to do is to lean into the problem, not run from it, by committing to more traffic inspection, not less. “You need to burn down more of these signals in order to catch it – and the way you do that is by reducing the friction to be able to investigate what’s going on in your enterprise,” he said.
That means both doing more monitoring and digging into the details in doing so. “The attack surface is too broad, the challenges are big because you have encrypted channels, you have visibility gaps, and you have disjointed teams in a lot of organizations – so the way you solve this is to try to take the friction out of all of those things,” Campfield said.
Machine Learning to the Rescue
And that’s where technology comes in, leveraging machine learning to support assisted investigation at scale. “That wasn’t possible back when you either couldn’t decrypt at scale or didn’t have machine learning and assistance to the very human tasks of deciding what’s good and what’s not,” he said.
A complete view of enterprise data, wherever it resides, is key. “There’s been a lot of acceleration to the cloud, a lot of diversity of where data and computing is happening now, particularly because of the pandemic – and ensuring that you have a complete view of your estate is vitally important,” Campfield said.
Ultimately, all of this is about being able to follow the breadcrumbs wherever they lead. “Something by itself might not look like a big deal, but when you start following the attack chain, or the breadcrumbs, if you will, that’s where you’re able to spot these advanced attacks and head them off before they become a disaster,” he said.