Skip to main content

The Diminishing Efficacy of Network Security | Optiv

February 23, 2015

I am an old-school network security guy, and it pains me to see the rapid decline of network security solutions due to the advancement of detection evasion techniques. Back in the day, you could expect most malicious traffic to be clearly visible, and you just had to worry about making sure your signatures and blacklisted IPs/domains were up to date for the latest threats.

If you really wanted to be proactive, you could block communication to/from entire CIDR blocks belonging to countries you do not do business with and well-known for malicious intent. This would cut down the volume of attacks by orders of magnitude.

Well, oh how times have changed. We live in a completely different world now. These days you can count on the reverse being true.

Most traffic is encrypted and/or tunneled, domain generation algorithm (DGA) has made site reputation almost meaningless and it is all too common for attackers to proxy through a network of compromised domestic machines to make the network traffic look benign and subvert detection or blocking by region.

For those who are not aware of DGA, it spins up thousands of single-use, pseudo-randomly generated domain names for malware command and control proxy. It is well known that significant percentages of cloud services are being used for this purpose.

While it is true that if a site is listed as bad, it is nice to be able to block connection attempts to it. This is still helpful. But, if it is listed as good, it does not mean it is good. The concept of “good” traffic has become very muddled and unknowable.

In fact, all of the uncertainty on the network has pushed detection down to the host level, for which there is an increasing array of new solutions almost weekly. But, that is a topic for another blog.

Fear not my network friends, all is not lost. The increasing efficacy of SSL decryption solutions are breathing new life and vitality into network inspection solutions. SSL decryption has become to network traffic inspection devices what bread is to sandwiches.

The most effective way to do this is to decrypt the traffic, pipe it to a network for all inspection devices (IDS, DLP, etc.) and enable visibility to all devices simultaneously. Remember, you only want to have to decrypt the data once. Having multiple inspection devices in line is a non-starter.

Further, often times this creates a need for network ingress/egress consolidation to aggregate the traffic through a handful of SSL decryption and network inspection devices. These solutions are costly and it makes sense to aggregate. But, make sure you still have at least 2 sites for your business continuity/disaster recovery plan.

Related Blogs

January 25, 2017

Escape and Evasion Egressing Restricted Networks

A command kill chain consists of payload delivery, code execution on a target system, and establishing a command and control (C2) channel outside of a...

See Details

February 06, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 3)

In parts one and two of this blog series, I provided an overview of SSL web inspection, and dove deeper into how SSL inspection solutions work and met...

See Details

January 29, 2018

What Is SSL Web Inspection and Where Should It Occur? (Part 2)

Hardware will vary between vendors and even different models within a vendor’s catalog. Some models/vendors will offload complex CPU tasks (decryption...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

RELATED INSIGHTS

July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

April 02, 2010

Enterprise Management - Network Security Threats | Optiv

I visit lots of customer sites each year and see many security-related commonalities amongst them. At the top of this list, from a network security pe...

See Details

December 01, 2011

Securing Network Architecture - Part 1 | Optiv

Today, securing a network cannot be fully accomplished with just a product or a solution. Rather, an in-depth holistic approach is required to protect...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.