230 likes | 271 Views
Encrypted traffic management. Ty Mellon - Regional Manager, Government, Healthcare, Education Blue Coat Systems, Inc. 512-507-1242. The World’s Most Successful Organizations Trust Blue Coat to Protect their Business. 86% of FORTUNE Global 500 Companies.
E N D
Encrypted traffic management Ty Mellon - Regional Manager, Government, Healthcare, Education Blue Coat Systems, Inc. 512-507-1242
The World’s Most Successful Organizations Trust Blue Coat to Protect their Business 86% of FORTUNEGlobal 500 Companies Over 30% of FORTUNEGlobal 10K Companies 16 Largest Service Providers in the World Worldwide Government Organizations Stop Advanced Threats | Manage Encrypted Traffic | Secure the Cloud | Protect the Web
ENCRYPTED Traffic is GROWING Ecommerce, Finance, Healthcare Social Media, Email, Enterprise Apps Google, Apple, Microsoft, Yahoo, Mobile Apps • SSL is estimated at 35 - 50% of network traffic and growing 20% annually* • >70+% in some industries (e.g. federal, finance, healthcare) 100% US government web traffic encrypted by 2017 *Source: Gartner
ENCRYPTED Traffic is GROWING • SSL is estimated at 35 - 50% of network traffic and growing 20% annually* • >70+% in some industries (e.g. federal, finance, healthcare) *Source: Gartner
THE BAD GUYS KNOW IT! Advanced Threats use SSL to hide C&C almost as default • sslbl.abuse.ch (the “Zeus Tracker” site) • 423 blacklisted SSL certificates (May `14 – Jan `15): • Most (recently) are “Dyre C&C” • Many are “KINS C&C”, “Vawtrak MITM”, “Shylock C&C” • Several are generic “Malware C&C” • A few “URLzone C&C”, “TorrentLocker C&C”, “CryptoWall C&C”, “Upatre C&C”, “Spambot C&C”, “Retefe C&C”, “ZeuS MITM” • …that’s a dozen recent malware families using SSL >50% of all malware will use SSL by 2017* *Source: Gartner
Existing security infrastructure is Insufficient • Most security solutions are “blind” to SSL • DLP, IDS, Sandbox & Network Forensics NETWORK FORENSICS DLP ANTI-MALWARE • “Tool by tool” SSL decryption doesn’t work • Costly upgrades: NGFW and IPS solutions suffer up to 80% performance degradation* • Numerous, evolving cryptographic suites • Certificate and key management complexities • Additional complexity – arduous scripting NEXT GEN FIREWALL INTRUSION PREVENTION *Sources: NSS Labs, Gartner
What about privacy and compliance Dataprivacyconcerns Risk ofAdvancedThreats Lead to requirements 1) Manage what type of information is decrypted 2) Assure custody and integrity of encrypted data
THE MOST EFFECTIVE STRATEGY TO MANAGE ENCRYPTED TRAFFIC Automated elimination of SSL blind-spot Preserve privacy and compliance while enabling security Enhance effectiveness and ROI of existing security tools Ensure highest level of encryption maintained
Eliminate the Encrypted Traffic Blind Spot • Automatically discover all SSL/TLS traffic, regardless of port or application • Complex scripting not required • Faster ‘time-to-productivity’ • Expose potential hidden threats* • High-performance inspection • 4 Gbps SSL throughput • 400K connections / second (CPS) • Software and hardware acceleration • Support for multiple network segments simultaneously * TCP Ports used by Dyre Trojan for Hidden Command & Control - Blue Coat Labs
Assure the Highest Level of Encrypted Security • Support for the latest cryptographic standards • Timely and complete coverage: 70+ cipher suites and key exchanges supported • e.g. AES-GCM, ChaCha, Camellia • Maintain security posture • Do not modify the existing infrastructure security posture • No “downgrading” of cryptography – utilize what’s established • No “replay vulnerable” RSA forced for key exchange • Ensure compliance • No exposure or vulnerability of decrypted data
Enhances existing SECURITY products visibility and ROI NGFW Forensics IDS / IPS Anti-Malware DLP Global Intelligence Network Policy categories WW malware reporting & blocking DECRYPT ONCE --- FEED MANY
Preserve privacy and compliance while enabling security Selective Decryption enables ‘Blacklist’ and ‘Whitelist’ Policies Host Categorization Service Leverages the Blue Coat Global Intelligence Network Utilizes 80+ categories, in 55 languages Processes +1.2B web and file requests per day Easily customizable per regional and organizational needs • Policy Examples • Block or decrypt traffic from suspicious sites and known malnets • Bypass / Do not decrypt financial and banking-related traffic
SSL Decryption – two approaches Inbound SSL Decryption Outbound SSL Decryption Origin: inside your network Destination: to the internet Outbound Encrypted Internet Traffic Encrypted Email Shadow IT (SaaS) Origin: from the Internet Destination: your hosted services • Web Servers • Email Servers • Customer Web Portals Security Solution Security Solution Internet Internet Hosted Services Clients Providing Visibility for the Entire Security Stack… IPS – IDS – APT – DLP – APM – SEIM – Full Packet Capture
Ssl visibility appliancedeployment models Model is per-Segment(not per-appliance) • Passive-Tap • Inbound only • Passive-Inline • Inbound and Outbound • Max 2 passive tools • Active-Inline • Inbound and Outbound • Active tool(s) • Max 2 passive tools Passive-Inline Passive-Tap Active-Inline
SSL Visibility Appliance COMMON use case INTERNET SERVER CLIENT • Identify all inbound and outbound SSL / TLS traffic • Utilize the Global Intelligence Network • Establish category-based policies to selectively decrypt SSL traffic and maintain compliance • Feed existing security solutions to expose potential threats • Avoid high capacity upgrade costs • Extend security infrastructure investment • Assures data integrity of traffic – auditable “loopback” GLOBAL INTELLIGENCE NETWORK SECURITY ANALYTICS GATEWAY / FIREWALL ❷ ❸ ❹ SANDBOX SSL VISIBILITY APPLIANCE NG IPS CORPORATE SERVERS CLIENT Encrypted traffic Decrypted traffic
IPS REFRESH OPPORTUNITY Global Financial Services Firm Pain Points Lack of visibility into SSL/TLS encrypted traffic Compliance adherence and risks Increasing Advanced Persistent Threats (APTs) and malware attacks Solution “Decrypt Once-Feed Many” design supporting Cisco/Sourcefire IPS and FireEye solutions Existing Blue Coat ProxySG and AV customer looking for continued WebPulse / Global Intelligence Network collaboration Results Over 25 SSL Visibility Appliances deployed across North America, LATAM and Europe Satisfied customer with a globally secure network that enhances and complements their existing solutions
BLIND SPOT : MULTIPLE TOOLS + HR/LEGAL US-based Fortune 50 Company Pain Points Realized they have massive blind spots with their IPS (HP), forensics (RSA NetWitness) and malware analysis (FireEye) solutions Faced confusion regarding SSL offload and “back-to-back” solutions (e.g. A10, F5) Spent 4 months trying to make F5 work Solution Blue Coat educated customer on ETM Addressed Legal Dept. concerns with Host Categorization Quickly Shipped Equipment POC set up and showed the value in just 3.5 hours Results 24 SV2800 appliances in < 60 days Satisfied customer with a secure network that enhances and complements their existing security solutions
NG** - Sometimes all in one --- isn’t all in one Regional Bank / Financial Firm Pain Points • Rapid growth of SSL required strengthened security posture • Current use of Palo Alto NGFW w/ IDS/IPS was insufficient due to poor performance and no support for Venafi cert/key management • PAN H/W upgrades were significantly over budget • 2 month deadline for current FY Solution • SSL Visibility Appliances feed PAN NGFW+IDS and support Venafi Trust Protection Platform • “Decrypt Once-Feed Many” architecture allows future growth • Additional security projects in discussion Results • 5 SSL Visibility Appliances delivered in 3 weeks • Satisfied customer with a newly enhanced secure network that complements their existing solutions within budget • +1000 server infrastructure supporting +8000 employees • Using Venafi to distribute, validate and manage cryptographic certs & keys • Longtime Blue Coat customer
Ramifications of SSL / TLS Growth • Ignoring encrypted traffic • Increases data security and governance risk • Inbound infestation • Outbound data exfiltration • Inspecting encrypted traffic • Invokes regulatory compliance • Numerous regulations per industry • Adds complexity and CapEx / OpEx costs • Decreases ROI of the infrastructure
Encrypted traffic management:a security necessity • Encrypted Traffic growing, advanced threats increasingly use encryption and most security solutions are “blind” to SSL or cause degraded performance or Crypto. • Encrypted Traffic Management – Blue Coat • Eliminate the encrypted traffic blind spot • Assure high security encryption • Cost-effectively enhance the existing security infrastructure (ROI) • Preserve privacy and compliance while enabling comprehensive security
Encrypted Traffic Management: FOR MORE INFORMATION • Understanding the Impact of SSL/TLS Encryption and Mitigation Options • Blue Coat “The Visibility Void” • Gartner report “Security Leaders Must Address Threats from Rising SSL Traffic” • SANS white paper “Finding Hidden Threats by Decrypting SSL” • ETM for Dummies book • Balancing Data Privacy with Security • Securosis white paper “Security and Privacy on the Encrypted Network” • SSL/TLS Performance Analyses • NSS Labs report “SSL Performance Problems” • www.bluecoat.com/uncoverssl