Time to turn up the high beam? Evaluating the optimum amount of network visibility

by Jeff Costlow, Chief Information Security Officer at ExtraHop

Credit: ID 68577444 © Michal Šteflovič | Dreamstime.com

Does your organisation have a bird’s eye view of the company network or is its activity viewed ‘through a glass darkly’?

For many Australian organisations, it’s the latter and that can be to their detriment.

Historically, a visible environment has been the safest and most efficient sort to have, both for network administrators looking to optimise network traffic and systems performance, and cyber-security specialists seeking to keep high-tech infiltrators at bay.

The latter is no easy task.

Almost 50 per cent of Australian businesses experienced a cyber-attack between 2017 and 2018, according to PwC’s 2018 Global Economic Crime and Fraud Survey: Australian Report.

Cyber-crime was cited as the most disruptive economic crime of the day and the most significant threat to growth by survey respondents.

Significant data breaches also remain a frequent occurrence – in the final quarter of 2018, the Office of the Australian Information Commissioner, Australia’s privacy watchdog, received 262 notifications.

A clear view

Lack of visibility is the key security challenge faced by enterprises, according to recent research from SDxCentral. Mega-breaches such as last year’s PageUp incident which saw thousands of job seekers’ details potentially exposed, highlight its importance.

But is resolving to increase the visibility of traffic the key to improved security, or is the situation somewhat more complex? 

Evolving information exchange protocols appear to have made it so.

It could be argued the enterprise computing world is heading towards a situation in which privacy, rather than security, is the predominant focus, courtesy of the advent of Perfect Forward Security (PFS) protocol additions to TLS and the potential fading of time-tested RSA keys.

PFS handshakes make deep analysis of transaction level details tricky for security teams. The protocol effectively compromises the power they have to protect the network from breaches by removing the capacity for error from individuals’ hands.

Unique session keys are generated for each and every session, which means even if one were to fall into the wrong hands, it could not be used to decrypt any prior sessions.

Conversely, under the legacy RSA cryptosystem, private keys must be kept secret. If one is lost or compromised, it can potentially provide an illicit ‘in’ to a wealth of sensitive information.

Cyber-security professionals and IT operations staff are likely to have differing views on the merits of the two approaches.

Under a PFS-driven regime, attackers may not be able to decrypt data but, on the other hand, the IT team can also effectively be locked out – a problem if they’re seeking to identify anomalies and ensure the smooth running of the network. An RSA-regime, meanwhile, can provide much greater visibility – to both good and bad actors alike.

Following the crowd

IT industry heavyweights appear to have voted with their feet on this issue. Google, Twitter, WhatsApp and Facebook Messenger have all been offering PFS for several years now and Apple Store recently mandated PFS supporting protocols for all its apps. Where the big players lead, others follow, which means it’s highly likely the industry’s new norm is already being bedded down.

Back in 2014, the Internet Engineering Taskforce elected to get rid of RSA keys for Transportation Layer Security (TLS) 1.3 and maintained only PFS supporting protocols would be supported in later iterations.

Technology is the challenge – and the solution

Technology may well hold the key to achieving the optimum balance between privacy and security in the PFS-driven future. As machine learning continues to evolve, its ability to analyse network behaviour and weed out anomalies is likely to improve exponentially.

Down the track, security staff can reasonably expect to find themselves in the position where decrypting everything is no longer necessary or desirable. Only that traffic which presents as suspicious will require unlocking and analysing.

Neither open-to-the-world visibility nor encrypted opacity entire – the optimum solution to this security conundrum may well be somewhere midway between the two.  

Tags rsa securitynetwork visibility

Show Comments