The industry has designed zero-trust to eliminate implicit trust of any one element on the network, and it’s something that’s become top-of-mind for most security leaders today. As threats continue to get more complex and increasingly hide in encrypted traffic, having the ability to see into encrypted traffic has become crucial to building an effective zero-trust framework.
According to recent research, more than 90% of malware detections are arriving over HTTPS-encrypted connections. Let’s explore why companies now need to focus on encrypted traffic analysis (ETA) for network detection and response and shed some light its role in zero-trust.
First, a quick review of zero-trust. The security model has been built on a set of system design principles that includes a coordinated cybersecurity and system management strategy. It acknowledges that threats exist both inside and outside traditional network boundaries (and that breaches are inevitable or have likely already occurred). Some widely accepted zero-trust best practices include verifying all users with MFA, verifying all devices, encrypting network traffic, monitoring access to sensitive data, implementing enterprisewide logging and information sharing, allowing only authorized users to access specific resources, and monitoring and reviewing all user activity across the network.
Being able to see into encrypted traffic for analysis has become most relevant for the zero-trust guidelines around network monitoring and is commonly accomplished with network detection and response (NDR) solutions. Modern NDR tools enable continuous monitoring across networks for threat detection, threat hunting, forensics and response, and use ETA to provide visibility into encrypted traffic. But not all ETA is created equal.
Traditional ETA has used what’s called deep packet inspection (DPI), which requires security teams to deploy decryption proxies or middle boxes to break encryption and inspect packet contents. This approach costs money, introduces performance bottlenecks, and creates additional security concerns – which the U.S. Government has warned about.
As a result, many organizations are looking to deploy NDR solutions with ETA that use deep packet dynamics (DPD) – often referred to as NextGen ETA. DPD eliminates the need for payload inspection and analyzes more than 100 packet traits and behaviors across a network using behavior analysis and machine learning. The technology works regardless of vendor, domain, or cloud, and allows organizations to better meet zero-trust requirements for network monitoring. Here are five reasons to use NextGen ETA for zero-trust:
- There’s no automatic zone of trust: NIST 800-207 says: “zero-trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.” NextGen ETA lets security teams see into that traffic and constantly evaluate trust without impacting performance or decryption packets.
- Evaluation requires visibility: Evaluation without measurement natively lacks significance and trust. While encryption prevents traditional tools from effective measurement and evaluation (thus decreasing visibility), NextGen ETA can measure and analyze the traits and behaviors of connections in real-time to reveal malicious activity. This approach is unfazed by encryption and helps establish pervasive visibility.
- Trust must continuously be established: Attackers can compromise a legitimate end-user account and weaponize it in the time it takes to read this sentence. AI-driven anomaly detection uncovers deviations of behaviors so security teams can constantly evaluate trust and access for action to deny or restrict, preventing any escalation of an attack. NextGen ETA plays a significant role in providing visibility into those behaviors for detection and response.
- Organizations must detect advanced threats and stop attacks: The zero-trust framework helps limit the blast radius of an attack and prevents adversarial success. ETA can help collect, classify, and characterize secure encryption tunnels to infrastructure and assets. For example, ETA can catch threat actor movements at many different stages, such as lateral movement, data staging, and exfiltration, giving security teams multiple opportunities to stop a live attack before completion.
- ETA simplifies visibility of complicated networks: As digital transformation continues to evolve it often leaves gaps in an organization’s network strategy. It’s crucial to track all assets, access, operations, and interconnecting infrastructure. When security team combine ETA with NDR it delivers the best of both policy management and behavioral analysis across the network core, multi-cloud, and edge to reveal anything that’s un-trustworthy, fortifying intelligence for decisive response.
As organizations look to implement or mature a zero-trust framework, it's crucial to define the process and select the proper tools for success. Using the latest ETA technologies will ensure visibility into encrypted traffic does not become a burden and can streamline security operations. For more information on the zero-trust framework, go to NIST.
Thomas Pore, director of security products, LiveAction