COMMENTARY: Our team’s analysis of 1.46 trillion network flows across 2,500 global enterprises found that nearly
half of these companies use
Transport Layer Security (TLS) inspection. What’s more, only 3% of companies inspect all relevant TLS-encrypted sessions.
TLS inspection lets organizations decrypt, inspect, and re-encrypt traffic. Organizations that enable TLS inspection block 52% more malicious traffic in comparison to those without it.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Despite this obvious benefit, many businesses shy away from TLS inspection, leaving their doors wide open to exploitation by CVEs such as with
Log4J and
SolarWinds.
Why organizations avoid TLS inspection
Many businesses either completely avoid TLS inspection or exempt a significant portion of their traffic from it, creating critical gaps in their security posture. There are a number of reasons why organizations omit TLS inspection:
Implementation complexities: TLS inspection is not very straightforward process. IT teams have to constantly maintain and update a long list of bypassed applications and domains, often an error-prone and burdensome process.
Susceptibility to disruptions: Many applications are incompatible with TLS inspection, and enabling them would break the user experience.
Compliance concerns: TLS inspection requires decrypting sensitive communications such as emails, personal data, and financial transactions, which raises privacy and regulatory concerns, especially for regulated industries like healthcare, government, and finance.
How convergence helps with traditional TLS inspection
Convergence of networking and security into a unified, cloud-native platform such as SASE lays the foundation for better TLS inspection. Processing traffic once in a single pass and applying multiple controls lets the platform apply AI/ML models trained on real-world telemetry to learn which applications and domains are safe to inspect and where inspection would break functionality.
This architecture helps to overcome a number of challenges security teams face with TLS inspection, including:
Secure automation: SASE uses a single-pass architecture that ingests billions of network flows across thousands of customer networks and endpoints. AI algorithms run in the background, watching whether TLS inspection breaks access to a given application or domain. They can then share this information so other customers of the service benefit from this knowledge. Using this crowd-sourced approach, the SASE platform analyzes vast amounts of real-time traffic and identifies apps/domains that are safe to inspect. As a result, the SASE service can deliver an automated list of applications and domains that are safe to inspect without having to worry about maintaining a long list of exclusions.
User experience: Security teams struggle with traditional TLS inspection because of the vast number of incompatible applications and domains, causing user disruptions. On the other hand, SASE TLS inspection, powered by insights from real-world traffic across the SASE provider’s customer base, identifies apps and domains that matter the most and determines which applications are safe to inspect. This ensures that users experience no interruptions.
Reduced operational complexity: SASE’s automated TLS inspection removes the need for IT teams to maintain long lists of apps and domains that they must bypass. By centralizing and automating this complex process, SASE promises to reduce operational overhead, minimize manual errors, and free IT resources to focus on more strategic tasks. The automated process requires minimal manual intervention to maintain. TLS inspection can be deployed in a few clicks, eliminating manual configuration and constant monitoring of exclusion lists.
Protection and performance: SASE TLS Inspection leverages a cloud-native architecture, which lets it scale across large, globally distributed enterprises. Inspection gets optimized in real-time, ensuring security without impacting performance. TLS inspection activates TCP acceleration, maximizing throughput for long-distance connections with high latency. SASE security teams research real-time insights from global traffic patterns and continuously refine inspection policies and categories, catching critical threats hidden in encrypted traffic and maintaining control over cloud applications. This targeted approach ensures that critical data flows are scrutinized for potential threats and data leaks without disrupting legitimate operations.
Compliance-driven data protection: Regulated industries are required to maintain compliance with strict data protection standards. SASE TLS inspection ensures comprehensive visibility into encrypted traffic flows, meeting compliance requirements without disrupting business operations. By automating the inspection process and reducing manual intervention, SASE ensures that all data flows meet regulatory standards, thereby avoiding potential fines/penalties and maintaining the integrity of business operations.
About
95% of malware gets delivered via encrypted channels. Therefore, if the company does not inspect encrypted traffic today, it’s leaving the organization vulnerable to malware attacks and CVE exploitation.
If security teams continue to avoid the use of TLS inspection because of its many challenges, then it's best to re-evaluate and re-imagine the organization’s entire network security approach and consider a unified and simplified cloud-native service like SASE.
Etay Maor, vice president of threat intelligence, Cato NetworksSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.