It’s been estimated that 70% of malicious traffic is encrypted.
It’s not surprising then that the researchers at Enterprise Management Associates (EMA) found in their 2022 report (Network Visibility Architecture for the Hybrid, Multi-Cloud Enterprise) that 98% of study participants attempted to decrypt and analyze network traffic.
What was surprising was that, on average, only 27% of encrypted malware was detected.
So why hasn’t cryptanalysis, that age old science of code breaking through decryption, proven to be more effective at identifying and rooting out encrypted malware?
Well, it turns out that there are two main reasons that could mean the difference between success or failure in securing your company, your customers, and ultimately, your bottom line.
These two key points are:
- You NEED a visibility architecture
- and Location, Location, Location (note – we’re not talking about real estate here)
Visibility — You Can’t Protect What You Can’t See
EMA’s researchers studied how IT and security organizations use network visibility architectures as part of their code breaking or cryptanalysis strategy. What they discovered was that companies fail to find encrypted malicious activity because they are failing to implement an effective network visibility architecture. An effective network visibility architecture gives you the ability to see malicious activity before it’s too late. While the primary driver for study participants to invest in a network visibility architecture was movement to the cloud, the secondary driver was a Zero Trust security posture. A Zero Trust architecture requires continuous visibility, aka, continuous monitoring, of all network activity.
Companies that detected encrypted malware knew they’d been breached. Companies that didn’t detect encrypted malware, still don’t know that they’ve been breached. The ability to see traffic flowing through the network, both plain text and encrypted, is the first takeaway.
Location, Location, Location — Where you Decrypt Matters
Where you decrypt can have a surprising ability to impact your cryptanalysis implementation. There are two fundamental locations to perform data decryption:
- At each security tool
- One centralized location
Decrypt at the Tool
EMA researchers found that 43% of study participants decrypted traffic on each analysis tool, just prior to inspection. Since most companies with an interest in security have multiple security analysis tools, this strategy causes multiple poor outcomes:
- Non-standard decryption algorithms across tool manufacturers, can leave you without the decryption capability you need when malware appears
- Wasted CPU, as each tool must decrypt/encrypt the same traffic again and again. Decryption at every tool can slow your network and increase the odds that decryption is disabled. ZK Research discovered in one of their surveys that when decryption slows the network down to a crawl, 45% of security engineers just turn it off — leaving them with no decryption.
- Runaway costs from growing tool requirements can entice some to take shortcuts in the visibility architecture, through spot monitoring, or using SPAN ports instead of dedicated hardware tapping devices, (which might not meet compliance or visibility requirements)
Decrypt at a Central Hub
EMA researchers found that 25% of study participants decrypted only in the network visibility architecture, which is specifically designed to increase your cryptanalysis success rate. This strategy causes multiple positive outcomes.
A network visibility architecture:
- Aggregates traffic, maximizing tool efficiency with faster FPGA processing, and sending the right traffic to the right tool
- Load balances data sent to tools, maximizing tool farm efficiency
- Allows for a “decrypt one time to analyze all data” strategy, which greatly improves your success in detecting malware, and eliminates individual tool decryption license fees
Decryption and encryption are resource hungry activities that are best done once, in your network visibility architecture, on hardware built for the purpose of maximizing the efficiency of your analysis tools. It should not be done repetitively at each security analysis tool.
Where you decrypt matters. Decrypt once, in your network visibility architecture, and maximize the benefits of your analysis tools.
Whether you are looking to reduce costs, meet compliance, or enhance your security posture Keysight is here to help. We have various network visibility and network security solutions for both NIST and CISA compliance. Reach out to Keysight Technologies and we can show you how to optimize your security solutions.
For additional information about why Where You Decrypt Matters