These days I keep thinking whether we still need network tapping solution for the real-time security threat monitoring since majority of applications are going to end-to-end encryption. Not much content the legacy network tapping and analytic devices can see. Does this technology still have the value when all IT/OT traffic are encrypted?
Let’s take a look how network tapping solution benefits the security threat monitoring. Usually, network tapping can be done via switch SPAN port/port mirror or use dedicate hardware to tap the network traffic. By tapping the network, all the network traffic and flow can be duplicated to other devices for further investigation and analyzing without interrupting the normal network communication. Some famous vendors such as Gigamon, NetOptics provide network taps and content switch to feed the traffic flow to multiple devices and destinations (eg. IDS, Anti-Malware, Security Analytics, SIEM, DLP, APM). So the primary benefit of network tapping solution is to provide the visibility to see what is happening within your network environment. It depends on the security analytics or SIEM devices to process and analyze the security threats and malicious activities. So the network tapping solution itself has nothing wrong. It just copies the network traffic passing through it and send to the destination who can look into it.
So maybe I need to change the title a little bit to ask whether these network security analytics solutions, such as NetWitness are still useful when all traffic are encrypted.
Obviously, the short answer is yes. Definitely, if the network security analytics tool cannot see the plaintext content of the traffic, the value of this technology reduces. In this case, companies try to decrypt all those network traffic by inserting a ‘trusted’ certificate which act as man-in-the-middle. However, this is not an ideal solution. It may only applicable for companies have internal CA which can force staff to trust their internally issued root certificates. But as moving to cloud trend, the self-issued certificates are not accepted in public Internet environment. And more and more applications enforced end-to-end encryption and even bi-direction verification. Which means the transitional way of using trusted certificates to decrypt traffic will potentially break the applications communication. This is a great enhancement in application security.
Instead of looking for ways to decrypt traffic, I’d like to embrace encryption. I love Letscrypt to provide free SSL certificates for everyone. Encryption is important in security. But although you may use encryption to protect data and privacy, attackers use it to conceal malware and evade detection by network security products. Then what we can do to monitor the security of network? Some new technologies applies machine learning and statistical modeling for encrypted traffic analytics to enhance netflow analysis which can understand whether encrypted traffic on the network is malicious on certain level. Furthermore, big data and AI technologies help the network security analytics.
To conclude my point, network tapping will no longer so important to the enterprise security operation as majority traffic is encrypted. However, I still see some future in the network traffic monitoring and analytics but the technology needs a big innovation.