Uncovering the Next Infrastructure Blind Spot: SSL

By: Ananda Rajagopal, Vice President of Product Management AnandaRajagopal

Visibility: the Merriam-Webster dictionary defines it as the “capability of affording an unobstructed view”. In the world of business, visibility delivers relevant insight, which can be the difference between just-in-time action and a missed opportunity. This is why traffic-based visibility powers the business of NOW! Yet, the nature of traffic visibility is such that underlying shifts in payload types and patterns requires solutions that can readily adapt to these shifts and provide an unobstructed view of traffic to the administrator.

Many security and network administrators are facing up to an underlying shift in enterprise traffic: a growing portion of it is encrypted within SSL. According to an independent study done by NSS Labs, anywhere from 25%-35% of enterprise traffic is encrypted in SSL and is growing further every month. In some verticals, that number is already higher. By itself, this statistic would not cause a flutter but this is exacerbated by other findings on the state of today’s security and performance monitoring infrastructure:

  • Although inline devices such as ADCs, firewalls etc. have integrated SSL support, out-of-band monitoring and security tools often do not have the ability to access decrypted traffic to perform security and performance analysis. This allows SSL traffic to fly under the radar, creating a potential security loophole.
  • Consequently, performance management tools and many out-of-band security tools are either completely blind to SSL traffic or get overloaded if they decrypt SSL. In discussions with many of our customers, they have pointed out a drop in performance by almost 80% if the tool decrypts SSL.
  • Many security administrators are using larger ciphers for increased security today. A study by NSS Labs noted a performance degradation of 81% in existing SSL architectures.
  • Hackers and cybercriminals are increasingly using SSL sessions to dodge network security defenses. Indeed, a Dec. 9, 2013 Gartner report titled “Security Leaders Must Address Threats From Rising SSL Traffic” by Jeremy D’Hoinne and Adam Hils, “Gartner believes that, in 2017, more than half of the network attacks targeting enterprises will use encrypted traffic to bypass controls, up from less than 5% today”.

In short, the very technology that was supposed to ensure confidentiality is now being exploited by nefarious actors. These are precisely the reasons that have driven us at Gigamon to come with the next innovation in visibility—the industry’s first and only visibility solution with integrated SSL support. With built-in hardware to decrypt SSL sessions at high performance, this new capability provides visibility into a critical blind spot facing administrators today. It is not without reason that analysts, customers and our technology ecosystem partners who have been privy to this development are all agog with excitement!

This new capability is yet another proof point of what GigaSMART can offer to IT and security administrators. GigaSMART is a platform that allows advanced traffic intelligence to be extracted via various applications that can be dynamically enabled and run in combination on a common underlying platform. Contrast this with other visibility products that offer point features to address point problems with point hardware—over time, both capital and operational costs of managing point products rapidly add up until they can no longer offer visibility to the next blind spot the administrator seeks to uncover. Gigamon’s GigaSMART technology solves visibility challenges holistically with a platform-based architectural approach. If you are a Gigamon customer who has already invested in GigaSMART on any of the GigaVUE-H Series platforms, you do not need any new hardware to run this new SSL application! The benefits of this platform-based approach are considerable. Here are three examples related to SSL decryption:

  • You can service chain multiple GigaSMART applications together. Interested in sending encrypted traffic at a remote site to a centrally located data loss prevention appliance? Not a problem. You can run both the tunneling and SSL decryption applications on GigaSMART in combination. Want to monitor secure VM-VM traffic between specific enterprise applications and generate NetFlow records on that traffic? Amen! You can combine tunneling, SSL decryption and the NetFlow generation applications on GigaSMART to generate NetFlow records on encrypted traffic. Have a concern about data misuse after decryption? You can combine SSL decryption with the packet masking/slicing applications on GigaSMART to support compliance with regulatory and/or organizational policies.
  • By combining SSL decryption with clustering in a Visibility Fabric, traffic from low-cost edge ports in the visibility infrastructure is automatically routed to the node in the cluster that has SSL decryption capability. This eliminates the need for SSL decryption solutions to be distributed at multiple locations, saving cost and ensuring better security in key management.
  • By delivering ‘Decryption as a Service’ via the Gigamon Visibility Fabric implemented with GigaSMART, administrators can increase the overall performance of their tooling infrastructure. The SSL traffic is decrypted once and then delivered to every tool that needs it, such as IDS, DLP, anti-malware, and even APM and other non-security tools.

For those who think that visibility can be obtained through mere “tap aggregation”, think again. Visibility must provide insight into infrastructure blind spots. Visibility is about extracting traffic intelligence to increase the performance of security and operational tools connected to the visibility infrastructure so that administrators can get the right insight. The nature of visibility is such that new challenges will arise tomorrow that today’s visibility solution should be able to adapt to—something that a repurposed Ethernet switch is simply not designed for. After all, isn’t visibility about offering an “unobstructed view”?

For more information including example use cases, visit our webpage on SSL Visibility.

RSA 2014 Recap: The Year of Pervasive Security and Analytics

by: Neal Allen, Sr. Worldwide Training Engineer, GigamonNeal-Allen

According to ESG research and Jon Oltsik, Sr. Principal Analyst at ESG: 44% of organizations believe that their current level of security data collection and analysis could be classified as “big data,” while another 44% believe that their security data collection and analysis will be classified as “big data” within the next two years. (note: In this case, big data security analytics is defined as, ‘security data sets that grow so large that they become awkward to work with using on-hand security analytics tools’).

This trend was highlighted at the RSA Conference the week before last with many organizations including Gigamon talking about ways security professionals can sift through the noise to find “the needle in the haystack.” Large amounts of security related data is driving the need for Big Data security analytics tools that can make sense of all this information to uncover and identify malicious and anomalous behavior.

Prior to a few years ago, threats were largely script kiddies and other unsophisticated hackers looking to disrupt communications. Organized crime then discovered they could make a lot of money selling access into corporate networks – so they started hiring really smart people to hack in. Around the same time, some governments created formal, but unofficial, departments whose job it was to steal third party intellectual property in order to advance their nation.

Between organized crime and state-sponsored industrial espionage, the interior of the network is at as much risk as the perimeter. This is particularly true with the growth in BYOD and mobility in general. If security analytics and security tool vendors are having problems keeping up with newly upgraded 10Gb edge links, then how will they deal with core networks where there are lots and lots of 10Gb, 40Gb or faster links? Not to mention, user edge traffic often times is not even tapped or spanned because of the potentially high costs of monitoring copious amounts of data across expansive networks.

The nature of security is evolving quickly and no one technique or approach to securing the network suffices anymore. Companies focused around security are now embracing multiple approaches in parallel to address security effectively. These include solutions that are inline and out-of-band, as well as solutions that do packet-level analysis and flow-level analysis. Gigamon, together with its Ecosystem Partners, presented at RSA and highlighted the critical role Gigamon’s Visibility Fabric™ plays in enabling pervasive security for best-in-breed solutions from Sourcefire/Cisco, ForeScout, FireEye, Websense, TrendMicro, Riverbed, Narus, LogRhythm and nPulse.

An effective solution that enables pervasive security should serve up the ability to address a multitude of approaches. The Gigamon Visibility Fabric does exactly that with highly scalable and intelligent solutions to address inline, out-of-band, packet-based and now flow-based security tools and approaches. In addition, Gigamon’s Visibility Fabric has the ability to combine approaches effectively, including packet-based pre-filtering prior to generating NetFlow. Gigamon’s Visibility Fabric is necessary to accelerate post analysis – through granular filtering and forwarding of packets, as well as pervasive flow-level visibility – to find that “needle in the haystack.”

We’ve entered into a new world of network security and providing insightful security analytics can be just as important as the ability to detect threats from across the network in real time. Walking around the booths at RSA, it was clear that without pervasive visibility most networks will be left with limited or delayed situational awareness, security intelligence and operational responsiveness. In a rapidly moving world, this delay may be too late.