- Keith Bromley
Where You Decrypt Has A Big Effect on Network Data
It’s a common truth that it’s not as important as what you say or do, but how you say or do it. This holds true for network data decryption as well. Many businesses today decrypt and inspect network data. And for good reason. It’s been estimated that 70% of malicious traffic is now embedded within encrypted traffic.
However, one thing that you don’t hear a lot about is where to decrypt that data. For instance, researchers at Enterprise Management Associates (EMA) found in their 2022 report (Network Visibility Architecture for the Hybrid, Multi-Cloud Enterprise) that 43% of study participants decrypted traffic on each analysis tool, just prior to inspection. While this may be a perfectly valid thing to do, I would submit to you that it probably is NOT the best.
Consider this — there are two fundamental locations to perform data decryption:
At each security tool
One centralized location
Since most companies with an interest in security have multiple security analysis tools, they often purchase the decryption for each tool. This strategy can create three problems:
Non-standard decryption algorithms across tool manufacturers can leave you without the decryption capability you need when malware appears.
Wasted CPU performance, as each tool must decrypt/encrypt the same traffic again and again. Decryption at every tool can slow your network and increase the odds that decryption is disabled. ZK Research discovered in one of their surveys that when decryption slows the network down to a crawl, 45% of security engineers just turn it off — leaving them with no decryption.
Runaway costs from growing tool requirements can entice some to take shortcuts in the visibility architecture through spot monitoring or using SPAN ports instead of dedicated hardware tapping devices (which might not meet compliance or visibility requirements).
The alternative to decryption on every tool would be to decrypt once at a central hub. An example would be as part of a network visibility architecture where you have a network packet broker that can perform the data decryption and re-encryption. Once that packet broker decrypts the data, it can easily pass multiple copies to security tools in parallel or it can pass data serially from one tool to another, per your architecture requirements. Once the data is completely examined and the good data returned to the packet broker, it encrypts the data and sends it on into the network.
EMA researchers found that 25% of businesses decrypted data using a network visibility architecture. This strategy created the following positive outcomes:
Aggregation of traffic, maximizing tool efficiency with faster FPGA processing, and sending the right traffic to the right tool
Load balancing data sent to tools, maximizing tool farm efficiency
Allows for a “decrypt one time to analyze all data” strategy, which greatly improves your success in detecting malware, and eliminates individual tool decryption license fees
Decryption and encryption are resource hungry activities that are best done once, in your network visibility architecture, on hardware built for the purpose of maximizing the efficiency of your analysis tools. It should not be done repetitively at each security analysis tool.
Where you decrypt matters. Decrypt once, in your network visibility architecture, and maximize the benefits of your analysis tools.
Whether you are looking to reduce costs, meet compliance, or enhance your security posture Keysight is here to help. We have various network visibility and network security solutions for both NIST and CISA compliance. Reach out to Keysight Technologies and we can show you how to optimize your security solutions.
For additional information about why Where You Decrypt Network Data Matters, download the brief.