ENCRYPTED TRAFFIC MANAGEMENT
Ty Mellon - Regional Manager, Government, Healthcare, Education
Blue Coat Systems, Inc.
512-507-1242
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 2
THE WORLD’S MOST SUCCESSFUL ORGANIZATIONS TRUST BLUE COAT TO PROTECT THEIR BUSINESS
Over 30% of FORTUNEGlobal 10K Companies
16 Largest Service Providers in the World
Worldwide Government Organizations
86% of FORTUNEGlobal 500 Companies
Stop Advanced Threats | Manage Encrypted Traffic | Secure the Cloud | Protect the Web
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 3
ENCRYPTED TRAFFIC IS GROWING
*Source: Gartner
2013 2015 2017
35%
50%
73%
SSL is estimated at 35 - 50% of network traffic and growing 20% annually*
• >70+% in some industries (e.g. federal, finance, healthcare)
100% US government web traffic encrypted by 2017
Ecommerce, Finance, HealthcareSocial Media, Email, Enterprise Apps
Google, Apple, Microsoft, Yahoo, Mobile Apps
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 4
ENCRYPTED TRAFFIC IS GROWING
*Source: Gartner
2013 2015 2017
35%
50%
73%
SSL is estimated at 35 - 50% of network traffic and growing 20% annually*
• >70+% in some industries (e.g. federal, finance, healthcare)
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 5
THE BAD GUYS KNOW IT!
*Source: Gartner
of all malware will use SSL by 2017*
2013 2015 2017
35%
50%
73%
>50%
Advanced Threats use SSL to hide C&C almost as default
• sslbl.abuse.ch (the “Zeus Tracker” site)
• 423 blacklisted SSL certificates (May `14 – Jan `15):• Most (recently) are “Dyre C&C”
• Many are “KINS C&C”, “Vawtrak MITM”, “Shylock C&C”
• Several are generic “Malware C&C”
• A few “URLzone C&C”, “TorrentLocker C&C”, “CryptoWall C&C”, “Upatre C&C”, “Spambot C&C”, “Retefe C&C”, “ZeuS MITM”
• …that’s a dozen recent malware families using SSL
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 6
EXISTING SECURITY INFRASTRUCTURE IS INSUFFICIENT
INTRUSION PREVENTIONNEXT GEN FIREWALL
DLP ANTI-MALWARENETWORK FORENSICS
*Sources: NSS Labs, Gartner
Most security solutions are “blind” to SSL
• DLP, IDS, Sandbox & Network Forensics
“Tool by tool” SSL decryption doesn’t work
• Costly upgrades: NGFW and IPS solutions suffer up to 80% performance degradation*
• Numerous, evolving cryptographic suites• Certificate and key management complexities• Additional complexity – arduous scripting
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 7
WHAT ABOUT PRIVACY AND COMPLIANCE
2) Assure custody and integrity of encrypted dataLEAD TO REQUIREMENTS
1) Manage what type of information is decrypted
DATAPRIVACY
CONCERNS
RISK OFADVANCEDTHREATS
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 8
THE MOST EFFECTIVE STRATEGY TO MANAGE ENCRYPTED TRAFFIC
Automated elimination
of SSL blind-spot
Ensure highest level of encryptionmaintained
Enhance effectiveness
and ROI of existing
security tools
Preserve privacy and compliance
while enabling security
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 9
ELIMINATE THE ENCRYPTED TRAFFIC BLIND SPOT• Automatically discover all SSL/TLS traffic,
regardless of port or application• Complex scripting not required• Faster ‘time-to-productivity’• Expose potential hidden threats*
• High-performance inspection • 4 Gbps SSL throughput• 400K connections / second (CPS)• Software and hardware acceleration• Support for multiple network segments
simultaneously
* TCP Ports used by Dyre Trojan for Hidden Command & Control
- Blue Coat Labs
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 10
ASSURE THE HIGHEST LEVEL OF ENCRYPTED SECURITY• Support for the latest cryptographic standards
• Timely and complete coverage: 70+ cipher suites and key exchanges supported
• e.g. AES-GCM, ChaCha, Camellia
• Maintain security posture• Do not modify the existing infrastructure
security posture• No “downgrading” of cryptography – utilize
what’s established• No “replay vulnerable” RSA forced for key exchange
• Ensure compliance• No exposure or vulnerability of decrypted data
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 11
ENHANCES EXISTING SECURITY PRODUCTS VISIBILITY AND ROI
NGFWForensicsAnti-Malware IDS / IPS DLP
Global Intelligence Network
Policy categoriesWW malware reporting & blocking
DECRYPT ONCE --- FEED MANY
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 12
PRESERVE PRIVACY AND COMPLIANCE WHILE ENABLING SECURITY
Selective Decryption enables ‘Blacklist’ and ‘Whitelist’ Policies
• Host Categorization Service
• Leverages the Blue Coat Global Intelligence Network
• Utilizes 80+ categories, in 55 languages
• Processes +1.2B web and file requests per day
• Easily customizable per regional and organizational needs
Policy Examples• Block or decrypt traffic from suspicious
sites and known malnets
• Bypass / Do not decrypt financial and banking-related traffic
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 13
SSL DECRYPTION – TWO APPROACHESInbound SSL Decryption
Origin: from the InternetDestination: your hosted services
• Web Servers• Email Servers• Customer Web Portals
Outbound SSL Decryption
Origin: inside your networkDestination: to the internet
• Outbound Encrypted Internet Traffic• Encrypted Email• Shadow IT (SaaS)
ClientsHosted Services
Security Solution
Internet
Providing Visibility for the Entire Security Stack…IPS – IDS – APT – DLP – APM – SEIM – Full Packet Capture
Security Solution
Internet
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 14
Model is per-Segment(not per-appliance)
• Passive-Tap• Inbound only
• Passive-Inline• Inbound and Outbound• Max 2 passive tools
• Active-Inline• Inbound and Outbound• Active tool(s)• Max 2 passive tools
SSL VISIBILITY APPLIANCEDEPLOYMENT MODELS
Active-Inline
Passive-Tap
Passive-Inline
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 15
SSL VISIBILITY APPLIANCE COMMON USE CASE1. Identify all inbound and outbound
SSL / TLS traffic
2. Utilize the Global Intelligence Network
3. Establish category-based policies to selectively decrypt SSL traffic and maintain compliance
4. Feed existing security solutions to expose potential threats• Avoid high capacity upgrade costs• Extend security infrastructure investment• Assures data integrity of traffic –
auditable “loopback”
GATEWAY / FIREWALL
CLIENT
CORPORATE SERVERS
SSL VISIBILITY APPLIANCE
CLIENT
GLOBAL INTELLIGENCE NETWORK
Encrypted trafficDecrypted traffic
INTERNET SERVER
NG IPS
SANDBOX
SECURITY ANALYTICS
❶
❹❸
❷
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 16
SSL VISIBILITY APPLIANCE FAMILY
Function SV800-250M SV800-500M SV1800 SV2800 SV3800
Total Packet Processing 8 Gbps 8 Gbps 8 Gbps 20 Gbps 40 Gbps
SSL Visibility Throughput 250 Mbps 500 Mbps 1.5 Gbps 2.5 Gbps 4 Gbps
Concurrent SSL Flow States (CPS) 20,000 20,000 100,000 200,000 400,000
New Full Handshake SSL sessions (CPS) (i.e. Setups / Tear Downs)• 1024-bit keys• 2048- bit keys
• 1,000• 1,000
• 2,000• 2,000
• 7,500• 3,000
• 10,500• 3,000
• 12,500• 6,000
Configurations Fixed Fixed Fixed Modular 3 Slots Modular 7 Slots
Input / Output 8
10/100/1000 Copper(fixed)
810/100/1000
Copper(fixed)
810/100/1000 Copper
or Fiber(fixed)
2x10G-Fiber, 4x1G Copper, 4x1G Fiber
Network Mods
2x10G-Fiber, 4x1G Copper, 4x1G Fiber
Network Mods
Resiliency Fail-to-Wire (FTW) / Fail-to-Appliance (FTA) FTW / FTA FTW / FTA FTW / FTA FTW / FTA
Network Modules / Net Mods (USD)
• 4 port copper 1G : NTMD-SV-4x1G-C• 4 port fiber 1G : NTMD-SV-4x1G-F• 2 port fiber 10G SR : NTMD-SV-2x10G-SR• 2 port fiber 10G LR : NTMD-SV-2x10G-LR
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 17
IPS REFRESH OPPORTUNITYGlobal Financial Services Firm• Pain Points
• Lack of visibility into SSL/TLS encrypted traffic• Compliance adherence and risks• Increasing Advanced Persistent Threats (APTs) and malware attacks
• Solution• “Decrypt Once-Feed Many” design supporting Cisco/Sourcefire IPS
and FireEye solutions• Existing Blue Coat ProxySG and AV customer looking for continued
WebPulse / Global Intelligence Network collaboration
• Results• Over 25 SSL Visibility Appliances deployed across North America,
LATAM and Europe• Satisfied customer with a globally secure network that enhances
and complements their existing solutions
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 18
BLIND SPOT : MULTIPLE TOOLS + HR/LEGALUS-based Fortune 50 Company• Pain Points
• Realized they have massive blind spots with their IPS (HP), forensics (RSA NetWitness) and malware analysis (FireEye) solutions
• Faced confusion regarding SSL offload and “back-to-back” solutions (e.g. A10, F5)
• Spent 4 months trying to make F5 work
• Solution• Blue Coat educated customer on ETM• Addressed Legal Dept. concerns with Host Categorization• Quickly Shipped Equipment • POC set up and showed the value in just 3.5 hours
• Results• 24 SV2800 appliances in < 60 days• Satisfied customer with a secure network that enhances and
complements their existing security solutions
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 19
Pain Points • Rapid growth of SSL required strengthened security posture• Current use of Palo Alto NGFW w/ IDS/IPS was insufficient due to
poor performance and no support for Venafi cert/key management• PAN H/W upgrades were significantly over budget
• 2 month deadline for current FY
Solution• SSL Visibility Appliances feed PAN NGFW+IDS and support Venafi
Trust Protection Platform• “Decrypt Once-Feed Many” architecture allows future growth • Additional security projects in discussion
Results• 5 SSL Visibility Appliances delivered in 3 weeks• Satisfied customer with a newly enhanced secure network that
complements their existing solutions within budget
NG** - SOMETIMES ALL IN ONE --- ISN’T ALL IN ONERegional Bank / Financial Firm
• +1000 server infrastructure supporting +8000 employees
• Using Venafi to distribute, validate and manage cryptographic certs & keys
• Longtime Blue Coat customer
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 20
RAMIFICATIONS OF SSL / TLS GROWTH• Ignoring encrypted traffic
• Increases data security and governance risk
• Inbound infestation• Outbound data exfiltration
• Inspecting encrypted traffic• Invokes regulatory compliance
• Numerous regulations per industry
• Adds complexity and CapEx / OpEx costs
• Decreases ROI of the infrastructure
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 21
ENCRYPTED TRAFFIC MANAGEMENT:A SECURITY NECESSITY• Encrypted Traffic growing, advanced threats increasingly use encryption and
most security solutions are “blind” to SSL or cause degraded performance or Crypto.
• Encrypted Traffic Management – Blue Coat
• Eliminate the encrypted traffic blind spot
• Assure high security encryption
• Cost-effectively enhance the existing security infrastructure (ROI)
• Preserve privacy and compliance while enabling comprehensive security
Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 22
ENCRYPTED TRAFFIC MANAGEMENT: FOR MORE INFORMATION• Understanding the Impact of SSL/TLS Encryption
and Mitigation Options• Blue Coat “The Visibility Void”• Gartner report “Security Leaders Must Address
Threats from Rising SSL Traffic”• SANS white paper “Finding Hidden Threats
by Decrypting SSL” • ETM for Dummies book
• Balancing Data Privacy with Security• Securosis white paper “Security and Privacy
on the Encrypted Network”
• SSL/TLS Performance Analyses• NSS Labs report “SSL Performance Problems”
www.bluecoat.com/uncoverssl
GOT SSL?WWW.BLUECOAT.COM/UNCOVERSSL