Skilled threat actors are now hiding cyber attacks in SSL-encrypted traffic. Not only do their payloads avoid inbound detection, it’s also easier for them to hide outbound activity during data exfiltration. And it’s creating serious challenges for security teams across all industries.
SSL inspection basics
By the end of 2016, 67 percent of the Internet will be encrypted. In fact, popular sites (e.g., Google, Facebook) are now making SSL encryption the default. Google even ranks websites using HTTPS higher in their search algorithms. As more of the Internet shifts toward encrypted traffic, attacks hiding in SSL traffic will only grow in popularity and sophistication.
In a May 2016 study, “Hidden Threats in Encrypted Traffic: A Study of North America & EMEA,” the Ponemon Institute discovered that out of over 1,000 respondents, 80 percent had been victims of at least one cyber attack in the previous 12 months, 40 percent of which leveraged SSL encryption to bypass security.
A proven method for stopping these attacks is SSL decryption and inspection. On a basic level, your network and security appliances will:
- Decrypt inbound and/or outbound traffic
- Send the decrypted traffic to a security appliance for inspection and mitigation,
- Re-encrypt the traffic
- Send the safe data to its final end point
The top reason (61 percent) their organizations haven’t implemented proper SSL decryption? Concerns over performance degradation, found Ponemon.
Off-load SSL decryption
Implementing this technique onboard your appliance, however, is processor-intensive and will likely result in performance degradation. An organization can avoid these issues by off-loading SSL decryption to a dedicated appliance. Let’s take
Let’s take Cisco ASA and FirePOWER, for example. A trusted next-generation firewall (NGFW) and security service, this solution can block up 99.4 percent of intrusion events and 99.2 percent of advanced malware attacks.
Although it can execute on-board SSL decryption in smaller deployment scenarios, it’s not advisable as organizations scale regional, national or global enterprise networks. However, by integrating Cisco ASA and FirePOWER with an enterprise-grade SSL decryption solution — like A10 Thunder SSLi, for example — organizations can bolster security without affecting performance. This video explains why SSL offload is the best strategy.
Five reasons to off-load SSL decryption
As we know, each deployment scenario is different. But for most organizations, it’s best practice to off-load SSL decryption and re-encryption to dedicated, high-performance solutions. The top benefits for this approach include:
- Dedicated processing for higher performance
- Set client-specific policies to determine which traffic should and should not be decrypted (e.g., data related to PCI or HIPAA compliance)
- Increase capacity and scalability with enterprise-grade load-balancing
- Quickly decrypt and re-encrypt SSL traffic with long ciphers or high key lengths
- Integrate with leading security appliances for maximum vendor flexibility
For more information on SSL decryption and inspection with Cisco ASA and FirePOWER, download the in-depth solution brief.