ESG Research Report: The Evolving Role of NDR Download Here
Skip to Main Content

Top 5 Problems with Break and Inspect (TLSI) for Encryption

We live in an encrypted world. When encryption blocks security teams from inspecting network traffic, is decrypting traffic (TLSI) a good response?

During Q2’21, attackers delivered 91.5% of malware over encrypted traffic. So how can we detect which encrypted data on the network is safe and which is not?

Unfortunately, encryption blinds legacy tools like DPI, IPS, and signature-based approaches. That is why some organizations have tried a break and inspect approach in an attempt to regain visibility into network traffic.

This approach, often called transport layer security inspection (TLSI), involves decrypting data, inspecting it for threats, and re-encrypting it.

As it turns out, this is an incomplete and often costly approach that can introduce new organizational risk.

5 problems with decrypting network packets (TLSI)

Nearly every organization is challenged right now by high levels of encrypted network traffic. Are you considering a TLSI approach? Be aware of these 5 concerns as you consider break and inspect.

  1. Decrypting network traffic may be illegal

Nearly 90% of network traffic is now encrypted, for a reason: to maintain privacy. Decrypting some traffic (think finance, contracts, or healthcare) may be illegal or leave you out of compliance.

how-much-network-traffic-is-encrypted

     2. Decrypting network traffic may be impossible

Network decryption tools are providing far less visibility as encryption protocols become stronger. From a Gartner research note:
“The rapid deployment of encryption tool TLS 1.3 increases the amount of network traffic that cannot be decrypted, even with the use of decryption toolsets.”

Privacy demands are driving stronger encryption. In the future, the break and inspect approach reveals less and less.

     3. Break-and-inspect requires time-consuming decisions

It is the last thing understaffed security teams need. But IT & security teams taking a TLSI approach must create extensive whitelists for traffic that cannot be decrypted but should be allowed to enter the network.

We all know that creating allow lists is time-consuming and often imperfect. This can create friction within any organization. Because accidentally blocking legitimate traffic leads the business to blame either SecOps, NetOps, or both.

     4. TLSI and decryption creates additional risk

How about risk mitigation for your risk mitigation? Between key forwarding misconfigurations and an increased risk of insider threat, the NSA warned organizations and agencies about a break-and-inspect approach. It also says those forging ahead with this approach will have to implement risk mitigations as a result.

     5. Decrypting network traffic is computationally expensive

You must stage security stacks at each edge in the enterprise with the TLSI approach. This is costly and possibly overkill. In addition, these inspection tools create chokepoints. Devices decrypt data, inspect it and re-encrypt and re-certify. Degraded network performance is possible.

The TLSI alternative: Encrypted Traffic Analysis

Encrypted network traffic is increasing. The effectiveness of current approaches is dropping. Consider restoring visibility for network defenders with an innovative alternative, Encrypted Traffic Analysis (ETA).

What is Encrypted Traffic Analysis (ETA)? This approach analyzes behaviors of network assets and traffic to detect advanced threats, without decrypting anything. And it’s coming on strong.

Gartner research note 74460 reveals why:
Being able to detect malicious content without decrypting the traffic is quickly becoming important to buyers, not because they are discovering this gap anew, but because they are discovering the availability of this capability… and this will soon be considered mandatory functionality for NDR buyers.

LiveAction’s NDR approach uses encrypted traffic analysis (ETA).

TLSI-alternative-example

This ETA approach:

  • Works regardless of encryption
  • Uses 150+ analyzers to create baselines, detect anomalies, make complex correlations
  • Combines machine learning with encrypted traffic analysis
  • Delivers SOC ready, threat scored and Mitre ATT&CK labeled alerts
  • Lightweight sensor deployment, SaaS based, covers core, cloud, edge
  • Use cases for ransomware, advanced phishing attacks, insider threat detection & more

Uninspected network traffic is a problem. Which approach is the right solution for your organization?

If you have more questions about Encrypted Traffic Analysis then download a complimentary white paper on the topic, How ETA Works.