Security Report

Security Empowers Business THE VISIBILITY VOID Attacks through HTTPS can be a vulnerability for enterprises The Visibility Void

The use of encryption protocols, (TLS) or Secure Sockets Layer (SSL), to protect web and email content is now entering its second decade. Research conducted by Canadian broadband management company Sandvine, found the number of Internet users encrypting their online communications has doubled in North America and quadrupled in Latin America and Europe over the past year alone.1 Thankfully, encryption is here to stay, but it is not without its risks. To identify hidden threats to the business, enterprises need complete visibility into encrypted traffic. However, to comply with local privacy regulations and their own acceptable use policies, enterprises must have the means to selectively decrypt this traffic. An encrypted traffic management strategy must consider various business needs, established corporate policies, and compliance mandates.

1 https://www.sandvine.com/downloads/general/global-internet-phenomena/2014/1h-2014-global- internet-phenomena-report.pdf 2 The Visibility Void

The dawn of a digital dark age TOP 10 MOST VISITED WEBSITES As privacy concerns reach an all-time high, the industries where data represents Growing Use of Encryption a prized commodity – social media, mobile, and communications – have understandably responded by broadly adopting encryption. Personal privacy Google.com concerns have led to goliaths such as Google, and Facebook switching 1 to an “always on HTTPS” model to protect data in transit (see Fig 1.). 2 Facebook.com 3 Youtube.com Every minute, at least 4,000,000 Google searches; 2,460,000 shares on 4 Yahoo.com Facebook; 48,000 Apple app downloads; and 23,300 hours of Skype 5 Baidu.com Encrypted conversations take place2 – all of which take place protected by SSL encryption. 6 Wikipedia.com Sites Google has recently announced that HTTPS sites are more positively weighted in 7 Amazon.com (HTTPS) Google search results.3 Sites Not 8 Twitter.com Encrypted All this increased adoption of “transport encryption” takes place in an 9 Linkedin.com environment where use of encryption technology in general is becoming routine. 10 Qq.com For example, technology giant Apple recently announced its iOS 8 operating system will encrypt all data, by default, on its phones and tablets; the protected data includes photos, messages, contacts, reminders and call history. The Figure 1: 8 out of the Top 10 global websites use HTTPS (Source: Alexa) explosion of data created by an ever-connected world and growing concern about data privacy means much more opportunity for serious cyber threats and data loss.

2 DOMO, Data Never Sleeps 2.0 3 http://googleonlinesecurity.blogspot.com/2014/08/https-as-ranking-signal_6.html 3 The Visibility Void

But does encrypted mean safe? BY 2017 MORE THAN In a typical seven-day period, Blue Coat found that 69% of the top 50 websites visited by its customers use HTTPS by default. Only sites focusing on publishing HALF THE ATTACKS daily news or entertainment (e.g. ESPN, BBC News, CNN, or Pandora), use ON NETWORKS WILL the easily-monitored unencrypted HTTP protocol. Of the top 10 most visited customer sites globally, as ranked by Alexa, nearly all use encryption to deliver EMPLOY SOME FORM OF at least some content. In order to try and manage encrypted traffic, some companies block traffic to these sites, despite employee requests to browse ENCRYPTED TRAFFIC those websites during working hours. TO BYPASS SECURITY. While a benefit for privacy purposes, the blanket use of encryption means that many businesses are unable to govern the legitimate corporate information entering and leaving their networks, creating a growing blind spot for enterprises. This growing visibility void also creates opportunities for attackers to deliver directly to users, bypassing network security tools. The lack of visibility into SSL traffic represents a potential threat especially given the fact that benign and hostile uses of SSL are indistinguishable to many security devices.

The tug of war between personal privacy and corporate security is unfortunately leaving the door open for novel malware attacks involving SSL over corporate networks. For corporations to secure customer data, they need visibility to make sure they can see the threats hiding in encrypted traffic.

The hostile use of encryption is set to increase in the coming years. Gartner believes by 2017 more than half the attacks on networks will employ some form of encrypted traffic to bypass security.4 This in part will be due to large web properties and hosting services making a switch to the HTTPS protocol. While banks and shopping sites already protect data using such encryption, HTTPS is becoming the rule, rather than the exception.

4 Gartner, Security Leaders Must Address Threats from Rising SSL Traffic, Jeremy D’Hoinne and Adam Hills, December 9, 2013 4 The Visibility Void

The good news: You can maintain privacy and still be secure IN A TYPICAL 7 DAY PERIOD Of great concern is the low level of sophistication malware coders need to The Global Intelligence Network Receives… compromise a network using encryption. Why? Many enterprises are under Weekly Planner the illusion that what they can’t see can’t hurt them. Malware attacks, using Sunday encryption as a cloak, do not need to be complex because the malware Over 40,000 requests to Monday newly classified malicious operators believe that encryption prevents the enterprise from seeing what they hosts over HTTPS – a strong are doing. Tuesday indication of new infections Blue Coat’s Global Intelligence Network routinely observes encrypted traffic used for the delivery and command and control of malware, as well as other types Wednesday of malevolent activity, such as phishing. Some of these attacks not only steal Over 100,000 requests to Thursday personal data from the infected machine, but leverage that machine’s position known malware servers over HTTPS – a strong indication of within the corporate network to pivot and steal sensitive enterprise information. Friday exfiltration in progress Knowing that no one wants to stop encrypting traffic, enterprises need a way to Saturday stop threats that are being delivered through encrypted traffic. The good news is that maintaining the privacy of employee personal information and adhering to compliance regulations is possible, while still protecting the enterprise from Figure 2: In a typical seven-day period, Blue Coat Labs receives around unwanted intrusions and threats. A policy-based solution decrypts and inspects 100,000 requests for information about sites using HTTPS protocol for command only targeted traffic, to enhance network security while complying with laws and control of malware. and policies. Open and transparent security protocols, along with tight controls limiting the use of decrypted data (e.g., network security), can be combined with Encrypted Traffic Management allows organizations to protect stakeholders regional and tailored IT monitoring notices to employees to maintain compliance by being smart about what is seen and what is not. Encryption isn’t the enemy with privacy protocols. – it protects your business, customers and employees. Encrypted Traffic Management is essential to ensuring the safety of virtually anything worth The true risk for an enterprise is to consider privacy and security as mutually protecting. Services such as email, banking and finance, cloud-based services, exclusive. Privacy should not be a trade-off for security. Legitimate business and industrial systems control some of the most important data in any company. justifications allow the enterprise to keep the network secure and IP protected while maintaining integrity of personal data.

5 The Visibility Void

However, the dangers associated with this protective wrapper around messaging, DECRYPTION AND file-transfer technologies and cloud applications cannot be ignored. Significant data loss can occur as a result of malicious acts by hostile outsiders or PRIVACY CAN CO-EXIST. disgruntled insiders, who can easily transmit sensitive information. Today a watchful team of security incident responders is required or the consequences can be serious. Closing the curtains As already mentioned, malware hiding in encrypted traffic is typically unsophisticated, presenting an opportunity for businesses to easily find and block attacks once decrypted.

Despite concerted effort from government and private enterprises against cyber criminals’ intent on exploitation, the onslaught is unforgiving. After authorities effectively shut down Zeus5, one of the most successful Trojan horse malware in a coordinated raid, criminals intent on data theft needed an alternative. Dyre, a widely distributed, password-stealing Trojan originating in the Ukraine, is trying to take over the power vacuum left behind when Zeus shut down. With a cyber equivalent of Whack-A-Mole taking place, Dyre quickly replaced Zeus using the same infection mechanisms, and achieving the same goals, with the help of encryption.

All of Dyre’s command-and-control traffic is, by default, communicated back to an infrastructure over TLS/SSL. Without decryption the bot can enter an enterprise network undetected, luring targets into clicking links to malware contained in phishing emails. Once in, criminal organizations extract user information under the cover of encryption so they can sell it to the highest bidder.

5 http://en.wikipedia.org/wiki/Zeus_(Trojan_horse)

6 The Visibility Void

Encryption and Visibility As a result of recent massive data breaches and the regular use of encryption Best Practices for Managing Encrypted Traffic that can mask the criminal exfiltration of proprietary information, encrypted traffic Security demands must be balanced with privacy and compliance requirements. needs to be properly managed. Encrypted Traffic Management is a mechanism to Because employee privacy policies and compliance regulations vary responsibly use encryption to protect data, whilst preventing actors with hostile geographically, per organization and per industry, businesses need flexible, customizable and policy-driven decryption capabilities to meet their unique intent from abusing these services. business needs. To preserve employee privacy while combating threats hiding in Decryption does not have to compromise privacy; rather it provides enterprises encrypted traffic IT security departments should: a way to effectively manage traffic. The risk of a security incident, which could • Take inventory and plan for growth – Assess the volume of SSL encrypted ultimately lead to serious data loss, is not something that just happens to other network traffic in your organization (we typically see 35 percent – 45 percent of companies. It is time to take charge of privacy instead of turning a blind eye to network traffic being encrypted), including the mix of traffic types (not just web/ the growing volume of encrypted traffic. The visibility void created when the web HTTPS traffic), current volume and projected increase. turns its lights out on network traffic has serious implications for the enterprise, • Evaluate the risk of un-inspected traffic – In addition to malware coming yet holds the key to data privacy. By approaching encrypted traffic with a clear into the enterprise, examine what type of data is at risk from both a security policy-driven management approach, businesses can take to the frontline in (exfiltration) and privacy standpoint. Share insights across IT, security, HR and cyber warfare. legal departments. • Create an action plan – Evaluate employee “acceptable use” policies, privacy requirements and compliance regulations and create formal policies to control and manage encrypted traffic based on traffic type, origination and other security and privacy vulnerabilities.

• Apply granular policy control – Selectively identify, inspect, and decrypt web- based SSL traffic according to your established policies. Decrypted data can then be processed by the security tools you have already invested in on the network, such as network antivirus, advanced treat protections solutions, DLP and others.

• Monitor, refine and enforce – Constantly monitor, refine and enforce the privacy and security policies for encrypted applications and traffic in and out of your network and make sure it is in synch with corporate policy and regulations.

7 Security Empowers Business

© 2014 Blue Coat Systems, Inc. All rights reserved. Blue Coat, the Blue Coat logos, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter, CacheEOS, CachePulse, Crossbeam, K9, the K9 logo, DRTR, Mach5, Packetwise, Policycenter, ProxyAV, ProxyClient, SGOS, WebPulse, Solera Networks, the Solera Networks logos, DeepSee, “See Everything. Know Everything.”, “Security Empowers Business”, and BlueTouch are registered trademarks or trademarks of Blue Coat Systems, Inc. or its affiliates in the U.S. and certain other countries. This list may not be complete, and the absence of a trademark from this list does not mean it is not a trademark of Blue Coat or that Blue Coat has stopped using the trademark. All other trademarks mentioned in this document owned by third parties are the property of their respective owners. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and Blue Coat Systems Inc. may be subject to export or import regulations in other countries. You agree to comply www.bluecoat.com strictly with these laws, regulations and requirements, and acknowledge that you Corporate Headquarters have the responsibility to obtain any licenses, permits or other approvals that may be Sunnyvale, CA required in order to export, re-export, transfer in country or import after delivery to you. +1.408.220.2200 v.BC-THE-VISIBILITY-VOID-EN-v1f-1114 EMEA Headquarters Hampshire, UK +44.1252.554600 APAC Headquarters Singapore +65.6826.7000 8