The National Security Agency (NSA) published an advisory that addresses the risks behind Transport Layer Security Inspection (TLSI) and provides mitigation measures for weakened security in organizations that use TLSI products. TLSI (aka TLS break and inspect) is the process through which enterprises can inspect encrypted traffic with the help of a dedicated product such as a proxy device, a firewall, intrusion detection or prevention systems (IDS/IPS) that can decrypt and re-encrypt traffic encrypted with TLS.
Organizations that plan to, or are currently, using TLSI to detect malicious activities on the network must be sure to maintain the certificate validation process that would normally happen between the client and the server. Additionally, organizations should monitor TLS certificate metadata with network traffic analytics. These details such as certificate common name, Certificate Authority (CA) information, and expiration date, will give security and network professionals information they need to detect when TLSI systems are not properly validating certificates. An example of this would be when there are connections to sites with expired certificates or untrusted CAs are allowed to connect instead of returning an error. By leveraging this information from the network, organizations can verify that they are validating TLS connections in the most secure manner which ensures that information security is maintained throughout the connection.
Many organizations use \”break and inspect\” technologies to gain better visibility into encrypted traffic. I prefer to preserve encryption wherever possible, for the reasons outlined by the NSA. This is why companies like Corelight invests into features like SSH Inference to inform defenders while protecting privacy. Our new sensor feature profiles Secure Shell traffic to identify account access, file transfers, keystroke typing, and other activities, all while preserving default encryption and without modifying any endpoint software. I believe security teams will have to increasingly incorporate these sorts of solutions, rather than downgrading or breaking encrypted traffic.