The NSA recently issued an advisory to enterprises that adopt ‘break and inspect’ technologies to gain visibility over encrypted traffic, warning them of the potential risks of such an approach. In fact, decrypting and re-encrypting traffic through a proxy device, a firewall, intrusion detection or prevention systems (IDS/IPS) that that doesn’t properly validate transport layer security (TLS) certificates, for instance, will weaken the end-to-end protection provided by the TLS encryption to the end-users, drastically increasing the likelihood that threat actors will target them in man-in-the-middle attack (MiTMP) attacks, Bleeping Computer reported.
“This is why companies like Corelight invest into features like SSH Inference to inform defenders while protecting privacy,” explained Richard Bejtlich, principal security strategist at Corelight. “Our new sensor feature profiles Secure Shell traffic to identify account access, file transfers, keystroke typing, and other activities, all while preserving default encryption and without modifying any endpoint software. I believe security teams will have to increasingly incorporate these sorts of solutions, rather than downgrading or breaking encrypted traffic,” he continued.
Corelight, in fact, has just recently unveiled the new capabilities of its network traffic analysis (NTA) solutions for cybersecurity, the Corelight Encrypted Traffic Collection (ETC). ETC will empower threat hunters and security analysts with rich and actionable insights for encrypted traffic, without the need to ‘break and inspect’.
Effectively able to read the network’s ‘body language,’ the tool will single out the behaviour of malicious activity even when decryption is not an option. Rather than simply detecting threats, the data that ETC can provide will allow enterprises to make critical, informed ..
Support the originator by clicking the read the rest link below.
