Can anyone suggest ...
How to detect or prevent malware in encrypted traffic without depending on a security tool
I am aware that Cisco comes with Encrypted Traffic Analytics (ETA), which monitors network packet metadata to detect malicious traffic even if its encrypted , but i would like to know any other suggestions for detection and prevention control
Thanks
ETA solutions look for patterns in the traffic, read un-encrypted metadata, flag suspicious packets, and so on --- but if the traffic isn't actually decrypted for full inspection, there's no guarantee that it's devoid of malware.
@iluom, if implementing decryption at an intermediate device --- such as a proxy --- raises privacy concerns, you could attempt to tailor it. For example, I've added an exception to our privacy policy for the inspection of data coming into our organization's network. (I confess, I work in KSA where employee privacy isn't of so much concern)
At the end of the day, preventing such attacks --- or at least reducing their impact --- calls for an approach with defense-in-depth. You should have preventive and detective measures implemented at the perimeter, the end-points, and the entire networks, with the solutions integrated with one-another.
If a perimeter device using ETA doesn't detect malware, & it gets decrypted on a user's system, an end-point security system there can quarantine the malware &isolate the system, as well as relay information to integrated systems to take actions at the network level.
With a layered approach, you have some assurance that should malware get past one layer, it still has to get through others.
We can't always depend on employee awareness here --- someone who sees his system acting strangely may just lean back and start using his smart phone rather than call Support --- so the solution should also be properly configured to alert the IT Security team.
Interesting that most have concentrated on a single vendor Cisco. If you look carefully within Government circles within their policies and controls, often they mandate TLS decryption for web traffic and also Identity and Access Portals. So to give you some examples: Identity Security Access Manager (ISAM) for Business - has a web proxy, called WebSeal, which has proxies for both mobile and web services, which has an inbuilt layer 4 to layer 7 WAF, which by using the server digital certificate, can decrypt and check the incoming and outcoming traffic, before it allowed into the organisations web servers/farm etc.
Other vendors use F5 with its Advanced Security Module, which has good layer 4 to layer 7 TLS inspection capabilities in virtual or physical formats.
However, from experience, you need plenty of testing, non production and Proof of Concepts, going because often the claims of manufacturers, has to be verified and tested carefully - sometimes their claims do not add up in reality.
Regards
Caute_cautim
surely there are many vendors offering "man in the middle" decryption and inspection. but the original question was about ability to detect malware within encrypted traffic...
In that case you will always need the ability to decrypt the incoming transmission, and you may have re-encrypt it again by policy, before it is forwarded on to the final destination. Normally, one would have an assured solution, as it normally has to hold a copy of the private key for decryption purpose. Normally the solution has normally a proxy or an SSL/TLS forwarding capability with layer 4 to layer 7 inspection capabilities.
Regards
Caute_cautim
WAF (Web Application Firewalls) may help to address this issue
These firewalls are specific enough that they know the way the application should be behaving
and can detect even the smallest unusual activity and bring it to a stop. In addition, WAFs
can also provide protection against such network-based attacks as DoS or DDoS attacks.
Reverse and Forward Proxy would help.
any comments please??
Yes, you could do it that way - there also other means, via having a front web application proxy or Mobile aware proxy, with one way key decryption or as you state forward or reverse proxy as well. Also there is appears to be another method - using a cloud based web application API, which some vendors provide as a stop gap, to keep PCI DSS issues arising i.e. TLS V1.0 issues and preventing access and related vulnerabilities.
This is more like a stop gap approach, rather than a permanent, but often see it taken up as a solution, which appears to become the norm,
Regards
Caute_cautim
@iluom wrote:
WAF (Web Application Firewalls) may help to address this issue
@iluom, what / whom do you ultimately want to protect from the malware? Whatever solution you employ, it will have to be able to decrypt the traffic --- unless that isn't permitted by your organization's policy.
Keep in mind that a WAF is meant to protect a Web Application itself, and not end-users / end-points.
> iluom (Contributor I) posted a new reply in Tech Talk on 04-06-2019 02:55 AM
> WAF (Web Application Firewalls) may help to address this issue These
> firewalls are specific enough that they know the way the application should be
> behaving and can detect even the smallest unusual activity and bring it to a
> stop.
Application level firewalls get really complicated really quickly. Some may have a heuristic activity monitoring component, but only something with an added host-based sensor component is actually going to detect resultant unusual activity.