Encryption, a friend or foe of cybersecurity?
By Arie Fred, VP of Product, SecBI
Encryption has been hailed as the savior of security and privacy online. Enterprises across the globe are increasingly adopting additional encryption layers to comply with regulations and reduce the risk of cyberattacks and data breaches.
A new report by the Ponemon Institute shows 45% of organizations have a comprehensive encryption policy in place, and according to Gartner’s “Security and Risk Management Trends for 2019 and Beyond”, more than 80% of enterprise web traffic will be encrypted through 2019. Google reports that 94% of its traffic across all its products and services is encrypted.
Encryption is the cornerstone for interest users to maintain trust online. Without it, as consumers, we wouldn’t trust our bank and conduct our business using online means. We wouldn’t perform mobile payments or upload our data into web-portals. Organizations wouldn’t allow employees to work from remote locations. There will be too many challenges allowing 3rd parties to access their systems and data.
Presumably, this increased adoption of encryption is welcomed news, for almost everyone. The problem is that not only are organizations using encryption to enhance their security posture. Not surprisingly, cybercriminals use encryption as well, albeit due to their usual nefarious reasons. Unfortunately, they have plenty of opportunities to operate undetected with HTTPS taking over HTTP as the primary communication protocol between browsers and websites.
It is estimated that some type of encryption will be used in more than half of new malware campaigns in 2019 and more than 70 percent in 2020. This means that cyber criminals understand and leverage the benefits of encryption. Yet how can they use encryption achieve their goals? Hackers “hide” traces of their actions in encrypted traffic, so that that traditional security mechanisms are “blind” to it. Hence, it allows them to operate for longer durations without being detected. The main network and endpoint detection tool used to analyze traffic is DPI (deep packet inspection) cannot achieve its goals on SSL/encrypted traffic. The preventive security mechanism used to identify and block malicious traffic, i.e. firewalls, is not capable of inspecting encrypted traffic.
Some organizations try to solve this obstacle by employing decryption methods, but these solutions compromise performance with slowdowns, are typically expensive and/or significantly difficult to implement. It is estimated that more than 60% of organizations will be unable to efficiently decrypt HTTPS traffic by 2020, leaving them blind to cyberattacks that use encrypted channels.
So how do you address this challenge that ironically is caused by goodwill, specially the will to INCREASE security and privacy? Certainly, the solution cannot be to reduce use of encryption. Employees, customers and just plain internet users all benefit from higher levels of encryption, plus regulators are pushing for the increased use of encryption.
One way would be to use technologies that are encryption-agnostic. Use a technology that groups a collection of significantly correlated events that are unique in their behavior into distinctive clusters. In order to do so, the algorithm doesn’t need to look at the CONTENT of the data, rather just the context, meaning origin IP, the IP it is accessing, time, size, etc. By doing so, such a technology is able to detect data that is being exfiltrated from the organization, regardless if it is encrypted or not.
Instead of investing in the ever-growing efforts in decrypting, SecBI identifies abnormal behavior by analyzing the context. The upside of this approach means that this system is future-proof and will stand the test of time to operate properly even if new encryption standards will be introduced.