By Simon Mullis, CTO of Venari Security
For highly regulated industries, like finance, protecting sensitive data is not only a foundational requirement of regulation but it must also be prioritised due to the heavy weight of the duty-of-care that organisations have for their customers. Personal financial information is a highly coveted, valuable and ultimately saleable asset for cybercriminals looking to maximise profit, making the industry a prime target. As we’ve seen from past high-profile incidents, and examples of poor network security practices, the reputational damage and financial penalties for organisation found to be breaking data security legislation can be severe – like JPMorgan’s $200M fine for failure to monitor employee data practices.
While the core tenets of privacy are understood universally, the growing volume of data that firms are required to process and safeguard, and the speed in which they are required to do so in the digital age, presents significant operational challenges. In response, governments and regulators are now mandating organisations to implement best-practice encryption, with financial ramifications for data leaks.
This has subsequently driven a massive uptake in encryption to ensure compliance and the security of customer data. However, whilst encryption can absolutely support privacy, and is often required for regulatory compliance, it can also introduce its own risks that businesses need to be mitigating against.
Growing adoption of encrypted communications
This affirmative action is evidenced with 62% of the top 1,000 global websites now supporting TLS 1.3, the current best-practice standard that ensures strongly encrypted communications. Apple is also no longer supporting the initial versions of TLS 1.0 and TLS 1.1, now only supporting TLS 1.2 and strongly encouraging the adoption of TLS 1.3.
Nevertheless, some of the more esoteric aspects of applying strong encryption are still poorly understood – and this is becoming a growing issue for security teams. Data is put at risk when organisations have an inadequate configuration of encryption protocols. However, in many cases, finance companies do not have a full view of what is or isn’t encrypted and whether they meet the standards set by regulators and governments. This is sometimes due to legacy infrastructure, but it is often because nobody ‘owns’ encryption within an enterprise. Therefore, ultimately no one group or function ends up as accountable.
Encryption isn’t a silver bullet
Encryption provides clear advantages to application security teams looking to protect sensitive financial data, to provide better privacy for customers and to ensure compliance with various data regulations. However, it is not a silver bullet or an appropriate catch-all solution for every network security challenge.
We are increasingly seeing attackers that breach an organisation’s perimeter are able to hide malicious activity within legitimate encrypted network traffic. This introduces a substantial blind spot for security teams. In the first three quarters of 2021 alone, attacks over encrypted channels increased by 314% from the previous year. These attacks aren’t necessarily cutting edge, but the lack of visibility into encrypted traffic gives intruders much greater freedom to operate on private networks with reduced risk of being caught. So, active decryption and inspection could be the answer. However, significant costs and complexities are created by trying to decrypt vast traffic volumes. What’s more, modern-day encryption protocols use Perfect Forward Secrecy, an encryption style that produces temporary private key exchanges between servers and clients, making generic decryption even harder.
Clearly, this presents a significant and very dangerous blind spot for security teams. End-to-end encryption renders many of the established means of detection and counter measures for malware detection ineffective. The sheer volume of data that organisations hold, and the speed and frequency at which it is shared with different IT environments, makes it nigh impossible for teams to rely on decryption to detect all malicious activity using encryption across their networks.
Mitigating against this hidden threat
When tasked with protecting sensitive customer financial data there is no one-size-fits-all solution for finance organisations to grasp. While encryption will continue to play a significant role in protecting customer data, the volume and speed of data sharing makes it almost impossible to monitor malicious traffic and presents new opportunities for cybercriminals to exploit.
Encrypted Traffic Analysis (ETA) is an emerging method of identifying and detecting suspicious or anomalous behaviour hidden in encrypted traffic without decryption. It uses a combination of artificial intelligence, machine learning, and behavioural analytics to analyse encrypted traffic without decryption. It ultimately improves encrypted network traffic visibility, while causing no impact on latency or privacy infringement. It also understands the behaviour of traffic across networks and provides alerts in near real-time, allowing security teams to react immediately rather than after the fact. This significantly increases the rate at which suspicious activity can be identified in encrypted traffic, thereby reducing business risk.
The network visibility gained by employing an ETA platform can also help organisations to ensure that their encrypted estate is as secure as they intend. Many organisations will use static analysis to understand the certificate, but this approach does not provide critical information required on what is actively negotiated and used for the individual sessions.
Overcoming security risks in an encrypted world
Organisations shouldn’t consider just regulatory compliance as the final goal. While encryption is the minimum action that network security teams should take, they also need to account for the additional security risks that TLS 1.3 and encryption present. To help overcome this, security teams need to adopt a “measure and mitigate” approach rather than one of “decrypt and detect”. This will enable security teams to understand what’s happening in the moment and gain visibility into activity on their encrypted networks, so that effective action can be taken before malicious traffic becomes an incident.