Autore: Chase Snyder, Security Product Marketing Manager at ExtraHop
In the nearly two years since the IETF ratified the new TLS 1.3 standard for encrypting data, adoption of the standard has ticked up steadily, but many enterprises are still holding off. They fear that this new, strong encryption standard will negatively impact their ability to monitor their own environments for security threats, especially via common passive modes of decryption for traffic analysis.
This fear is well founded. TLS 1.3 does away with static keys and RSA key exchange—and makes perfect forward secrecy and ephemeral session keys a default requirement, rather than an optional setting as they were in TLS 1.2 and earlier versions. Many passive security monitoring technologies will be made more cumbersome or even completely nonviable by this change. The same businesses feeling this pain are also experiencing mounting pressure to encrypt more data, in motion and at rest, to protect sensitive data in case of a breach. This presents enterprises with a difficult choice between using the best available encryption versus maintaining the visibility their security teams need to conduct investigations and resolve potential threats.
In its report, Demystifying The Impact of TLS 1.3 on TLS Inspection, Gartner delves deeper into the options and tradeoffs available to businesses as they consider the transition to TLS 1.3. The research discusses both security and performance-focused features of TLS 1.3, but for this blog post we'll focus on security features, and in particular, Gartner's discussion of the options available in cases where passive mode decryption is a requirement.
In the report, Gartner wrote: "The benefit of this increased security is both positive and negative for enterprise security teams: Although it's harder for others to intercept enterprise traffic, enterprise visibility into encrypted traffic is also reduced unless steps are taken to keep decryption possible. Third-party sources indicate 54% of network threats are found in encrypted traffic. Enterprise security teams require inspection of network traffic to detect such threats including malware, command and control traffic, and data exfiltration. Tools such as firewalls, intrusion protection systems (IPS) and data loss protection (DLP) provide such detection, but they only work if traffic can be decrypted. Gartner estimates that encrypted browsing routinely exceeds 80% of total internet traffic, many times originating on enterprise internal networks, creating an inspection challenge."
Here are a few of Gartner's findings and recommendations on the subject of passive mode decryption when TLS 1.3 is in place:
"Passive mode decryption relies on nonephemeral modes of key exchange. TLS 1.3 no longer supports nonephemeral modes of key exchange. A full migration to v1.3 will break passive mode decryption unless specific provisions are taken. Follow one of these recommended options if passive mode decryption is a requirement:
"Technical professionals responsible for security of networks and endpoints should:
Extrahop, technology aimed at the detection and remediation of advanced attacks through network behaviour analysis (NDR), is able to decrypt from SSL to TLS1.3 to check if the encrypted traffic is good.
In less than three years the company has the third highest global market share by revenue in 2019 in the Network Detection and Response (NDR) segment, according to Gartner's Market Share: Enterprise Network Equipment Market Share Worldwide, 2020. Even more notable from our standpoint is the revenue change from 2018 to 2019 of 382% listed for ExtraHop, the highest in the Network Detection and Response segment.
ExtraHop's growth numbers are a result of arming security leaders and practitioners with the intelligence they need to make informed decisions quickly to stop a threat before an adversary can breach the network.
Gartner subscribers can read the full report here: Demystifying The Impact of TLS 1.3 on TLS Inspection
You can read the original article in ExtraHop website.