Smackdown: Enterprise monitoring vs TLS 1.3 and DoH

New encryption standards TLS 1.3 and DNS-over-HTTPS are sweeping the last crumbs of visible user activity off the enterprise network table. Fail to take any action, and within two years, you'll lose the ability to analyze network traffic and detect the cyberthreats that will endanger your organization.

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read More

Technically, the male praying mantis mates for life. If you know anything about the mating habits of the female sex of that particular insect, you now also understand the limitations of the word "technically." Similarly, technically, TLS 1.3 and DNS-over-HTTPS (DoH) are improvements upon previous technologies that are supposed to improve security. In reality, TLS 1.3 and DoH will improve individuals' privacy but will paradoxically reduce security in the on-premises enterprise environment over the short term. 

TLS 1.3 and DoH are merely the latest salvos in a long battle between privacy activists and the surveillance, um, community that stretches back nearly as long as we've had browsers. The latest changes represent the penultimate end state, where all browser data and metadata is encrypted. 

I cover network security controls and the network analytics and visibility space for Forrester. Many security tools such as enterprise firewalls, secure web gateways, and cloud access security brokers (CASBs) block users from going to known-bad websites by examining three key pieces of metadata in the encrypted traffic: 

  • The user's DNS request. Prior to DNS-over-HTTPS, security tools could see where a user was heading on the internet by looking at their cleartext DNS request. 

  • The target's SSL certificate. Prior to TLS 1.3, the target destination of the user would typically send back an SSL certificate that included its hostname, organization name, etc. Proper certificates have expiration times, revocation status, and signature verification for the trust chain. All of these could be checked by a control; version 1.3 encrypts it. 

  • The Server Name Indication (SNI). To support megahosters, the SSL/TLS protocol was modified years ago to include the plaintext server name in the SSL request. Security and monitoring controls extract the SNI from the request as a signal for where the user is going and, if it's a bad place, could block them. 

These three metadata will be disappearing from network traffic soon, and that will benefit human rights activists living in an oppressive regime, visiting journalists in hostile countries, and masses of people who can't trust a sketchy ISP. But most Forrester security and risk clients are monitoring their users to protect them, not exploit them, and these changes make their lives more difficult. 

For new research, I interviewed over two dozen architects at vendors and clients to understand how they intend to counteract the loss of visibility in the short and long term. The report highlights the technical innovations and tools that security pros need to put in place in the coming years. During the months of research, several trends and insights surprised me, including: 

  • Encrypted traffic analysis is rising. Cisco debuted this technology half a decade ago, but at least three other vendors are now applying machine learning (ML) to encrypted traffic. It's not going to find everything, of course, but automated scans or brute-force attempts over SSL should stick out like a sore thumb for an ML model looking at human browser traffic. 

  • Session keys are the key. Two vendors extract session keys and distribute them for monitoring and security processing at the control plane. Such a technique was inevitable when forward secrecy became the convention (now the standard for TLS 1.3), and now you can buy it. 

  • You can't leave the past behind. Version 1.0 of TLS just turned 21, meaning it's old enough to drink. Instead of retiring, it's moving into your basement and staying there for another 10 years. Everyone's going to have old, not easily retired servers that don't even support TLS 1.2. 

This post was written by Senior Analyst David Holmes, and it originally appeared here