Over the last several years we have seen encryption become more pervasive. Does it now make sense for security teams to invest in network security monitoring solutions?
With the strong push for encryption on everything from websites to hard drives, encryption is becoming a standard practice for most organizations. Reviewing the graph below from Google’s Transparency Report, we see that a majority of web traffic is now HTTPS.
Encryption is permeating other protocols. In September 2018, CloudFlare announced a new protocol that hides the server name during the SSL handshake. RFC 7858 (DNS-over-TLS) and RFC 8484 (DNS-over-HTTPS) both were proposed this decade and are already implemented by some organizations. (Note that DNSSEC doesn’t encrypt dns queries, but ensures they are authenticated.) SMB and SNMP in their third versions also include cryptographic capabilities. Microsoft’s Remote Desktop protocol now incorporates SSL, and SSH has always been encrypted.
It seems that just about all data transmitted over a network is encrypted or is moving in that direction. It is these reasons that some vendors push to move security monitoring to the endpoint where the machine decrypts the information anyways. Is network security monitoring dead in the coming age of encryption?
Why Monitor Network Traffic?
I answer with a resounding “No!” Organizations need network security monitoring just as much today as they did a decade ago, although some techniques in security monitoring have changed.
Not All Traffic is Encrypted
If you believe the network traffic in your organization’s is all encrypted, think again. Take a packet capture for on a busy router and you will likely find a lot of unencrypted traffic. Syslogs, older SMB and SNMP versions, IoT traffic, telnet, DNS, DHCP, FTP, remote desktop, email, remote procedure calls, NTLM, Kerberos, and more are bound to show up. All that data is valuable for security monitoring.
Network monitoring is a great way to audit your services and ensure they are configured properly. You might think all of your websites enforce HTTPS, or that you disabled remote desktop on all the workstations. With network security monitoring, you may find some misconfigurations, or that clients still attempt to send sensitive information first to HTTP before the server redirects to HTTPS.
If a machine is compromised, you can’t trust the logs and data coming from it. Whether a rootkit neutralizes the protections or perhaps abuse of local administrator credentials do, the data integrity is questionable. Network monitoring provides independent monitoring and logging that can confirm what endpoint protections and logs are reporting.
Many network security products now support decrypting SSL traffic. By loading your servers’ certificates and private keys into your intrustion prevention system (IPS) or intrusion detection system (IDS), you can inspect the encrypted traffic for exploit attempts.
Client SSL traffic can also be inspected. Place a trusted public key on your organization’s machines and the certificate and private key on your firewall and you can inspect outbound SSL traffic as well. It’s an effective way to catch data exfiltration and credential theft.
Protocol and Session Information
Security teams need to monitor for protocol anomalies. Often attackers abuse remote protocols to compromise a machine (a prime example being EternalBlue). Data exfiltration can take place in seemingly benign traffic such as DNS or ICMP traffic. A network monitoring solution such as an IDS will pick up the strange behavior and alert you of exploit attempts before one is successful.
Even if encryption covers a large amount of network traffic on your network, you can still gain valuable information from session information. Looking at what external IP addresses your machines are talking to and on what port is valuable data.
For example, if an IP address is a known command and control (C2) host, or perhaps located in Seychelles, then you can investigate. You can also find unexpected internal networks scans and beaconing hosts, and even the SSL certificate can reveal malware. In fact, Cisco researched how to detect malware communication hiding in SSL without decryption.
Inventory and Profile
Most security frameworks such as NIST or CIS say the first step is to identify what’s in your environment. By passively observing the network, you can create a pretty comprehensive inventory and profile that active probing cannot completely give. You can see the services a server offers, or which ones a client uses. Port knocking might prevent an active scan from seeing SSH open on a server but passive monitoring will. You will have an answer when someone inevitably asks the question, “How many machines have X service open?”
A profile of the network traffic is quite helpful too. If you know which machines use a particular service or port, and you see a new one pop up, then you can investigate accordingly.
Most Attacks Happen Remotely
It’s rare an attack doesn’t occur over network connections. You have billions of devices that can hit public facing servers, but only a handful that can physically gain access to your machines. At some point a compromised machine will generate traffic. The more network data you can gather, the better picture you will paint of what happened during an incident.
Endpoint Monitoring Shortcomings
Even if you purchased an endpoint solution with all the bells and whistles, you still cannot get 100% of endpoints. Your IoTs, ICS, appliances, network infrastructure, and shadow IT will still be unprotected as they almost always do not come with a way to install 3rd party monitoring solutions. Without network security monitoring such as an IDS, what can you do about those devices? How will you know if they are compromised or not?
Endpoints monitoring solutions tend to focus more on the system itself, and less on the network traffic the system sends and receives. Solely implementing endpoint protections will not help you find protocol anomalies or suspicious packets hitting the system.
One of the most powerful traits of the right network security monitoring is the flexibility you gain across a breadth of applications. For example, often I see organizations have multiple login portals—CAS, SAML, LDAP, and many independent local login pages. Perhaps you want to check each login type’s passwords against haveibeenpwned data. Although you could put in monitoring and security controls at the application level (assuming you have control over them in the first place), it takes a lot of time to do it for each one. With a network monitoring solution, you could just do it once and it becomes effective across all login portals all without touching the application’s code.
If you work at a decentralized organization such as a business that bought another company, or a university where each department has its own IT people, network security monitoring is perhaps the only solution to provide consistent monitoring across all environments. Although I generally recommend to centralize, getting groups with vastly different technical implementations to conform to a single way of doing things is a huge headache. Implementing network security monitoring is still challenging, but much less so and can be done faster.
Often organizations provide a guest network for visitors or allow employees to bring their own devices (BYOD). However, guest access and BYOD can be abused whether the device owner is aware of it or not. At this time an organization cannot install endpoint monitoring on guests to enforce corporate policies. Yet often these unmanaged guests and BYOD share public IP space with the corporate network.
To protect the reputation of the network and the availability of services, the only option left is to use network monitoring for guests and BYOD even if the effectiveness is reduced by encryption.
Encryption is changing how teams do network security monitoring, but it is not the nail in the coffin some think it is. Organizations still need intrusion detection systems and intrusion prevention systems for holistic cybersecurity. The data generated by those systems combined with endpoint monitoring solutions can empower security teams, helping them adequately defend organizations from cyberattacks.
Featured photo provided by https://www.maxpixel.net/Cyber-Space-Hacking-Hacker-Cyber-Security-Hack-1944688