A colleague of mine recently recounted a conversation he had with two McAfee Web Gateway customers at an industry event, who complained that malware was still getting into their network. My colleague asked, “Are you using SSL scanning?” and the two customers gave each other that “deer in the headlights” look as they realized that was probably the primary source of their malware infestation.
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are protocols used primarily to encrypt communications between a browser and a web site in order to prevent interception by a third party. Every time you access a URL beginning with HTTPS (Hypertext Transfer Protocol Secure), you’re encrypting your interaction with the web site. Indeed, many popular sites, such as Yahoo!, Google, LinkedIn, and Twitter, use HTTPS by default, and the number is growing. Gartner estimates that encrypted web traffic now accounts for between 15 and 25% of all outbound web traffic. (Source: Gartner, Security Leaders Must Address Threats From Rising SSL Traffic, 12/9/2013). Unfortunately, Gartner also reports that “…less than 20% of organizations with a firewall, an intrusion prevention system (IPS) or a unified threat management (UTM) appliance decrypt inbound or outbound SSL traffic.”
If your organization is one of the 80% that aren’t examining SSL packets as part of your security best practices, you may very well already be infected and not even know it. This is because, during the past few years, malware toolkits have emerged which also leverage HTTPS to hide malware from detection by various forms of network defenses. The bottom line is that if you want to protect your network from infection with malware, you need to aggressively examine all inbound and outbound web traffic, including encrypted traffic.
For more information on HTTPS scanning and other best practices, read the “HTTPS Considerations” section on the “MWG Best Practices and Common Scenarios” site (which, naturally, is encrypted).