Partner POV | Precryption Has Arrived
In this partner contribution
Article written by Michael Dickman, Chief Product Officer, Gigamon.
Gigamon has introduced a novel way to solve the thorny hybrid cloud problem of encrypted attacks: Gigamon Precryption™ technology is elegant and it's cool, but more importantly, it enables security teams to shine a bright light on what has until now been a very blind spot.
"You can't secure what you can't see." – Every cybersecurity leader ever
Our recent hybrid cloud security survey of over 1,000 IT and security leaders revealed that their number one concern is exploitation of blind spots that they didn't even know were there. In today's hybrid cloud landscape, with more and more workloads in both private and public clouds, it is clear that IT and security professionals are facing blind spots, especially with lateral movement (East-West traffic), that are not captured correctly or completely via logging. Most solutions focus on the cloud perimeter or a logging agent on the host, or worse yet, assume the public cloud platform will handle security automatically. According to Venafi, over 80 percent of organizations had a cloud security incident in the last year, and our own security survey revealed 31 percent of attacks went undetected by security tools — meaning our job is far from done.
"Everything in life is a double-edged sword." – Anita Dobson, U.K. soap opera star
Encryption is nearly ubiquitous in today's networks, delivering on the "C" of the CIA triad (confidentiality) by frustrating the theft of meaningful data. Unfortunately, this same technology is now being leveraged by threat actors who use encryption to conceal their tracks. Attackers piggyback off of employee credentials, encrypt their actions, spoof ports, and even simulate the look and feel of normal traffic and tools by living off the land so that 31 percent of data breaches last year went undetected by security and observability tools.
These types of attacks are exactly why so many organizations are moving to Zero Trust architectures. As John Kindervag, creator of Zero Trust, says, "To achieve [Zero Trust], you need full visibility across your entire network, regardless of whether assets reside on-premises, are hosted in the cloud, or there's a mix of both." And when you add encryption to the mix, strange things can happen. "A federal law enforcement official once told me of a breach in which the attackers actually optimized network performance in order to accelerate data exfiltration," Kindervag adds.
"That's the hard thing about hard things — there is no formula for dealing with them." – Ben Horowitz, entrepreneur and venture capitalist
At Gigamon, adding depth to observability is our job. IT and security leaders accept the axiom that network traffic doesn't lie, and therefore require this reliable and immutable source. For years, we have provided plaintext visibility at the perimeter or other choke points via decryption solutions. In the world of cloud, where threat actors bypass the perimeter and then move laterally inside encrypted channels, we need to do more. Modern encryption standards based on perfect forward secrecy, such as TLS 1.3, have made decryption inside the cloud complicated and expensive at best, impractical and infeasible at worst.
Cloud decryption requires either cumbersome agents and runtime security tools inside every layer of an app or unnatural acts of traffic routing in the cloud, or both. Most organizations therefore haven't tackled the challenge, yet the pressure to adopt TLS 1.3 and PFS, combined with standard attacker behavior, makes the cost of doing nothing ever greater. A recent report from EMA research revealed that over 90 percent of IT and security professionals are concerned about loss of visibility due to TLS 1.3.
"The less effort, the faster and more powerful you will be." – Bruce Lee, martial artist and actor
What if observing encrypted traffic was…easier? Cheaper? More effective? Without burden to the development teams? Gigamon Precryption technology delivers plaintext visibility without decryption. That is right, the benefit of decryption without decrypting.
Precryption leverages native functionality inside Linux, to capture traffic before it becomes encrypted on the network, or after it is decrypted. In this way, it is not actually decrypting anything. No keys need to be intercepted, no key libraries to manage, no computationally expensive decryption tax.
The security stack then receives a plaintext copy of the traffic, increasing both their capacity and efficacy — estimated by Zscaler as a 5–7X improvement — to spot threats previously hidden by encryption. Eliminating these blind spots and making threat detection more effective are essential to succeeding with Zero Trust.
Moreover, Precryption technology runs independent of the application, avoiding operational challenges of classic agent-based approaches, such as lifecycle management when the agent and the app are on different upgrade schedules.
Precryption is built on top of our GigaVUE® Universal Cloud Tap (UCT), a lightweight, independent software module that runs across a wide range of virtual, cloud, and container platforms, including VMware, AWS, Azure, Google Cloud, Kubernetes, OpenStack, OpenShift, Tanzu, and Nutanix.
The architecture is built to interoperate natively with ease in all major environments:
- Any version of TLS, including mTLS, TLS 1.1, TLS 1.2, and TLS 1.3
- Both North-South and East-West (lateral) traffic
- All kinds of network security tools, including network detection and response (NDR), intrusion detection (IDS), and observability-based tools like SIEMs
- Regardless of cipher type or strength
- No impact on, or requirements for, routing
- Controlled from a single fabric manager across the hybrid cloud