Large numbers of websites and Internet services are disappearing behind encrypted connections, part of a growing “visibility void” in which organisations struggle to tell friendly traffic from foe, security firm Blue Coat has argued.
At first sight it’s an odd perspective because the use of encrypted HTTPS connections by services such as Google, Facebook and Twitter is normally seen as a good thing, which indeed it is. But tolerance of unmonitored traffic is now carving out a space for malevolent traffic to flourish, or so the argument goes.
The problem is that organisations can ignore encrypted traffic and risk letting in malevolent software which also increasingly uses encryption to hide command and control, or disallow it all, making it impossible for employees to visit legitimate sites.
Using figures from Blue Coat’s customers, 69 percent of traffic to the top 50 most popular websites is now encrypted by default, with Google, Facebook, YouTube, Yahoo and Baidu the top five in that order.
Only mass-market news sites such as ESPN, BBC News, CNN, or Pandora, leave encryption turned off for maximum compatibility. In the UK, the BBC is now the only non-encrypted site in the top ten.
Meanwhile, the growth of cloud services - big users of encryption - is adding to the probability that in time almost all corporate traffic would be ‘invisible’.
“The tug of war between personal privacy and corporate security is leaving the door open for novel malware attacks involving SSL over corporate networks that put everyone’s data at risk,” claimed Blue Coat’s chief security strategist, Hugh Thompson.
“For corporations to secure customer data and meet regulatory and compliance requirements, they need the visibility to see the threats hiding in encrypted traffic and the granular control to make sure employee privacy is also maintained.”
The firm also said that around one in ten of the security requests its researchers received in an average week was now regarding a suspicious website using encryption, equivalent to around 100,000 requests.
It is these dark or unknown sites that underline the need to monitor encrypted channels, he firm said, giving the example of the Dyre malware as only the latest example from a growing list using encrypted channels.
The orthodox solution is to turn of SSL inspection at gateway level if such a capability exists, but this hits performance. Admins usually then roll back inspection to categories that fall outside given types of traffic, for instance visits to known websites.
SSL inspection is also not always able to go much beyond HTTPS traffic, which a significant large chunk unaccounted for in security oversight.
Blue Coat’s answer is Encrypted Traffic Management, which it claims can direct suspect payloads to other security infrastructure after first decrypting traffic. This can end up sounding a lot like SSL inspection in another form because there will still be an overhead even if it is reduced.
Taken private in 2012 in a $1.3 billion (£830 million) buy-out, Blue Coat has continued to reinvent itself since then by buying Solera Networks a year later and sandboxing firm then Norman Shark some months later.