• Cloud
  • Mobility
  • Networking
  • Server
  • Storage

Gestalt IT

Independent Experts United

  • Exclusives
  • Podcast
  • Gestalt News
  • Tech Talks
  • Favorites
  • Services
  • Events

Unmasking Bad Actors with Gigamon

December 7, 2017 by Tom Hollingsworth 1 Comment

The future of traffic is secure. We’ve seen a huge shift from merely having SSL-enabled sites for login purposes to the new normal of always-SSL sites for every thing you do. That shift toward automatic security has helped build a trusted platform for users to feel secure at all times and decreased the vulnerability that they feel when filling in forms or typing their credit card info in for an order.

But what happens when the bad guys start using the same security we enjoy to hide their nefarious intent?

Behind The Mask

At Networking Field Day 15, Gigamon had a great presentation where they discussed the idea that a growing segment of network traffic is encrypted malware:

 

At first, even the people around the table can’t believe it’s so low. I couldn’t believe it either. I think that 33% is a low number of sure, but I also think that recognizes the challenges of getting illegitimate software authorized by legitimate means.

We’ve already seen breaches of certificate authorities like Comodo and Symantec. Rather than doing the due diligence necessary to prove that the person requesting the certificate was valid, they simply rubber-stamped the approval process and took the money. And the malware writers are doing even more creative things like signing the payloads with multiple valid certificates to avoid being detected.

This leads me to think that we’re only really starting to see the beginning of secure malware. Once the writers figure out how to sign these payloads and slip them into a packet stream you’re going to see even more issues with detection. SSL is great for keeping your credit card numbers secure when buying from Amazon. But that same security obfuscates the payload of a malicious program that’s being scanned by your network defenses.

Removing the Cowl

Gigamon outlined how they are using their technology to crack the packet flows and decrypt them to analyze their payloads. Their inline solution gives organizations the capability to intercept SSL traffic and perform decryption and analysis. That means that one platform can provide the visibility you need across a wide breadth of sensors, like intrusion protection, firewalls, and even encrypted server-to-server communications. That reduces the attack surface for intruders trying to compromise your infrastructure looking for the keys to decrypt all of your traffic. One central location is much easier to secure than decryption protocols across multiple disparate systems.

Additionally, the Gigamon SSL Decryption solution can detect SSL communications per application even when they aren’t using port 443. This is huge for those malware applications that try to create a normal communications channel to start the session and then switch to SSL when it’s time to transmit the data that will get them detected. But having a solution that can find the encrypted packets and deal with them in real time, you reduce the likelihood that anything bad is going to slip through the cracks and ensure that you will find the bad actors before they compromise your security infrastructure.

The Slippery Slope

A lot of the discussion around tools like Gigamon’s SSL Decryption deal with the fact that we’re essentially performing an attack against the traffic. By inserting a device in the middle of the data stream that decrypts and reeccrypts the data, we’re performing a classic man-in-the-middle (MITM) attack. There are more than a few security professionals that are wary of giving a solution that much power. Even the most technologically illiterate user would be cautious when they found out that their secure bank transaction had something in the middle listening to the packet flow.

However, we have to look at the benefits of this solution when placed against the potential risks. By having a MITM performing traffic analysis, you can catch the bad programs before they hurt your users. Yes, there is a risk. However, it’s a manageable risk for security professionals. There are also challenges with getting the Gigamon certificates loaded to guest devices and IoT infrastructure like smart thermostats and other devices that don’t allow for much user interaction. But, like most email scanning systems and data loss prevention (DLP) devices, you need to be able to see what’s going on in the network to stop the things that shouldn’t be happening. Creating and maintaining a solution with a very narrow focus is the key to ensuring security across your organization from threats both current and in the future.

Putting It All Together

I’ll admit that I find myself going back and forth on the SSL decryption argument. I like my privacy. But I also know that the average user is going to fall for a spearphishing attack at some point. Multiply that by the number of users in your organization and you see the potential for disaster. Now, imagine that disaster comes cloaked behind SSL and is untraceable by your current protection mechanisms. I’ve already had to fight the filtering of Facebook in a school when SSL-always was enabled. Knowing there’s a solution that can give me visibility gives me hope that we can stem the tide of encrypted malware before it becomes a flood. We just have to temper our new found power with heaps of responsibility.

  • About the Author
  • Latest Posts

About Tom Hollingsworth

Tom Hollingsworth is a networking professional, blogger, and speaker on advanced technology topics. He is also an organizer for networking and wireless for Tech Field Day.  His blog can be found at https://networkingnerd.net/
  • Detecting Cryptocurrency Mining with Vectra Cognito - April 13, 2018
  • Extreme Networks SLX Platform – Extremely Easy Analytics - April 9, 2018
  • Succeeding With SaaS and Viptela Cloud On-Ramp - April 5, 2018
  • Treating Your Cloud Like an SD-WAN Branch - March 21, 2018
  • Taking SD-WAN Even Wider With Acadia - March 14, 2018
  • Gaining Visibility with ObserverLive - March 13, 2018
  • Rolling Out SD-WAN with REI - March 9, 2018
  • Orchestration From the Top Versus Automation From the Bottom - March 1, 2018
  • Revealing Security Threats with ExtraHop Reveal(x) - February 13, 2018
  • The Logic Of Tables with Broadcom SDKLT - February 8, 2018

You might also be interested in...

  • How Kindred Healthcare Uses SD-WAN to Secure Patient Data
  • SD-WAN: I Can See Clearly Now
  • The SD-WAN Future Is Now
  • DDoS Detection with Big Switch Networks.
  • VMware NSX: Going Big with Micro-Segmentation

Filed Under: Exclusive, Featured, Tech Field Day Tagged With: #NFD15, @Gigamon, @NetworkingNerd, Encryption, Malware, SSL

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Connect

  • Email
  • Facebook
  • Instagram
  • RSS
  • Twitter
  • YouTube

Sign up for Gestalt News!

Select One or More Topics

Gestalt IT on YouTube

You Should Care Where SaaS Lives | On-Premise IT Roundtable

Windows Server Millenium Edition | Gestalt IT Rundown: March 21, 2018

Subscribe on YouTube

More Exclusive

Trends – IT Origins Survey

Qualcomm’s Terrible No Good Very Bad Acquisition | Gestalt IT Rundown: April 18, 2018

Detecting Cryptocurrency Mining with Vectra Cognito

Sonia Cuff – IT Origins

How to Protect Office365 Data

Gestalt – (noun) an organized whole that is perceived as more than the sum of its parts.

Categories

  • Exclusives
  • Podcast
  • Gestalt News
  • Tech Talks
  • Favorites
  • Services
  • Events

Topics

  • Cloud
  • Mobility
  • Networking
  • Server
  • Storage

The Socials

  • View GestaltIT’s profile on Facebook
  • View GestaltIT’s profile on Twitter
  • View Gestalt_IT’s profile on Instagram
  • View isaHnBrJzPtxd5PcCOoSSw’s profile on YouTube

Meta

  • Log in
  • Entries RSS
  • Comments RSS
  • WordPress.org

Editors: Stephen Foskett, Tom Hollingsworth, Rich Stroffolino

Copyright © 2018 · News Pro Theme on Genesis Framework · WordPress · Log in