How plaintext visibility eliminates blind spots across virtual, cloud and containers

Over 90 percent of attackers are using the same tactic to cover their tracks that security teams use to protect their data, and broadly speaking, no-one is watching.

Michael Dickman, Chief Product Officer at Gigamon, reveals that his company has a introduced novel way to solve the thorny hybrid cloud problem of encrypted attacks. The technology is elegant and it’s cool, but more importantly, it enables security teams to shine a bright light on what has until now been a very blind spot.

Gigamon’s recent hybrid cloud security survey of over 1,000 IT and security leaders revealed that their number one concern is exploitation of blind spots that they didn’t even know were there.

In today’s hybrid cloud landscape, with more and more workloads in both private and public clouds, it is clear that IT and security professionals are facing blind spots, especially with lateral movement (east-west traffic), that are not captured correctly or completely via logging.

Most solutions focus on the cloud perimeter or a logging agent on the host, or worse yet, assume the public cloud platform will handle security automatically. According to Venafi, over 80 percent of organisations had a cloud security incident in the last year, and our own security survey revealed 31 percent of attacks went undetected by security tools — meaning our job is far from done.

Encryption is nearly ubiquitous in today’s networks, delivering on the ‘C’ of the CIA triad (confidentiality) by frustrating the theft of meaningful data. Unfortunately, this same technology is now being leveraged by threat actors who use encryption to conceal their tracks.

Attackers piggyback off employee credentials, encrypt their actions, spoof ports, and even simulate the look and feel of normal traffic and tools by living off the land, so that 31 percent of data breaches last year went undetected by security and observability tools.

Such attacks are exactly why so many organisations are moving to Zero Trust architectures. As John Kindervag, creator of Zero Trust, says: “To achieve [Zero Trust], you need full visibility across your entire network, regardless of whether assets reside on-premises, are hosted in the cloud, or there’s a mix of both.

“And when you add encryption to the mix, strange things can happen. A federal law enforcement official once told me of a breach in which the attackers actually optimised network performance in order to accelerate data exfiltration.”

Adding depth to observability is my company’s job. IT and security leaders accept the axiom that network traffic doesn’t lie, and therefore require this reliable and immutable source.

For years, we have provided plaintext visibility at the perimeter or other choke points via decryption solutions. In the world of cloud, where threat actors bypass the perimeter and then move laterally inside encrypted channels, we need to do more.

Modern encryption standards based on perfect forward secrecy, such as TLS 1.3, have made decryption inside the cloud complicated and expensive at best, impractical and infeasible at worst.

Cloud decryption requires either cumbersome agents and runtime security tools inside every layer of an app or unnatural acts of traffic routing in the cloud, or both. Most organisations therefore haven’t tackled the challenge, yet the pressure to adopt TLS 1.3 and PFS, combined with standard attacker behaviour, makes the cost of doing nothing ever greater.

A recent report from EMA research revealed that over 90 percent of IT and security professionals are concerned about loss of visibility due to TLS 1.3.

What if observing encrypted traffic was…easier? Cheaper? More effective? Without burden to the development teams?

My company’s precryption technology delivers plaintext visibility without decryption. That’s right, the benefit of decryption without decrypting.

It leverages native functionality inside Linux to capture traffic before it becomes encrypted on the network, or after it’s decrypted. In this way, it’s not actually decrypting anything. No keys need to be intercepted, no key libraries to manage, no computationally expensive decryption tax.

The security stack then receives a plaintext copy of the traffic, increasing both their capacity and efficacy, estimated by Zscaler as a 5–7X improvement, to spot threats previously hidden by encryption. Eliminating these blind spots and making threat detection more effective are essential to succeeding with Zero Trust.

Moreover, my company’s precryption technology runs independent of the application, avoiding operational challenges of classic agent-based approaches, such as lifecycle management when the agent and the app are on different upgrade schedules.

It is built on top of our universal cloud tap, a lightweight, independent software module that runs across a wide range of virtual, cloud, and container platforms, including VMware, AWS, Azure, Google Cloud, Kubernetes, OpenStack, OpenShift, Tanzu, and Nutanix.

The architecture is built to interoperate natively with ease in all major environments:

#  Any version of TLS, including mTLS, TLS 1.1, TLS 1.2, and TLS 1.3.

#  Both north-south and east-west (lateral) traffic.

#  All kinds of network security tools, including network detection and response (NDR), intrusion detection (IDS), and observability-based tools like SIEMs.

#  Regardless of cipher type or strength.

#  No impact on, or requirements for, routing.

#  Controlled from a single fabric manager across the hybrid cloud.

Learn more here about how our precryption tech reveals threat activity in the cloud.