ENCRYPTED TRAFFIC MANAGEMENT Ty Mellon - Regional Manager, Government, Healthcare, Education Blue Coat Systems, Inc. 512-507-1242.

ENCRYPTED TRAFFIC MANAGEMENT

Ty Mellon - Regional Manager, Government, Healthcare, Education

Blue Coat Systems, Inc.

512-507-1242

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 2

THE WORLD’S MOST SUCCESSFUL ORGANIZATIONS TRUST BLUE COAT TO PROTECT THEIR BUSINESS

Over 30% of FORTUNEGlobal 10K Companies

16 Largest Service Providers in the World

Worldwide Government Organizations

86% of FORTUNEGlobal 500 Companies

Stop Advanced Threats | Manage Encrypted Traffic | Secure the Cloud | Protect the Web

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 3

ENCRYPTED TRAFFIC IS GROWING

*Source: Gartner

2013 2015 2017

35%

50%

73%

SSL is estimated at 35 - 50% of network traffic and growing 20% annually*

• >70+% in some industries (e.g. federal, finance, healthcare)

100% US government web traffic encrypted by 2017

Ecommerce, Finance, HealthcareSocial Media, Email, Enterprise Apps

Google, Apple, Microsoft, Yahoo, Mobile Apps

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 4

ENCRYPTED TRAFFIC IS GROWING

*Source: Gartner

2013 2015 2017

35%

50%

73%

SSL is estimated at 35 - 50% of network traffic and growing 20% annually*

• >70+% in some industries (e.g. federal, finance, healthcare)

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 5

THE BAD GUYS KNOW IT!

*Source: Gartner

of all malware will use SSL by 2017*

2013 2015 2017

35%

50%

73%

>50%

Advanced Threats use SSL to hide C&C almost as default

• sslbl.abuse.ch (the “Zeus Tracker” site)

• 423 blacklisted SSL certificates (May `14 – Jan `15):• Most (recently) are “Dyre C&C”

• Many are “KINS C&C”, “Vawtrak MITM”, “Shylock C&C”

• Several are generic “Malware C&C”

• A few “URLzone C&C”, “TorrentLocker C&C”, “CryptoWall C&C”, “Upatre C&C”, “Spambot C&C”, “Retefe C&C”, “ZeuS MITM”

• …that’s a dozen recent malware families using SSL

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 6

EXISTING SECURITY INFRASTRUCTURE IS INSUFFICIENT

INTRUSION PREVENTIONNEXT GEN FIREWALL

DLP ANTI-MALWARENETWORK FORENSICS

*Sources: NSS Labs, Gartner

Most security solutions are “blind” to SSL

• DLP, IDS, Sandbox & Network Forensics

“Tool by tool” SSL decryption doesn’t work

• Costly upgrades: NGFW and IPS solutions suffer up to 80% performance degradation*

• Numerous, evolving cryptographic suites• Certificate and key management complexities• Additional complexity – arduous scripting

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 7

WHAT ABOUT PRIVACY AND COMPLIANCE

2) Assure custody and integrity of encrypted dataLEAD TO REQUIREMENTS

1) Manage what type of information is decrypted

DATAPRIVACY

CONCERNS

RISK OFADVANCEDTHREATS

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 8

THE MOST EFFECTIVE STRATEGY TO MANAGE ENCRYPTED TRAFFIC

Automated elimination

of SSL blind-spot

Ensure highest level of encryptionmaintained

Enhance effectiveness

and ROI of existing

security tools

Preserve privacy and compliance

while enabling security

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 9

ELIMINATE THE ENCRYPTED TRAFFIC BLIND SPOT• Automatically discover all SSL/TLS traffic,

regardless of port or application• Complex scripting not required• Faster ‘time-to-productivity’• Expose potential hidden threats*

• High-performance inspection • 4 Gbps SSL throughput• 400K connections / second (CPS)• Software and hardware acceleration• Support for multiple network segments

simultaneously

* TCP Ports used by Dyre Trojan for Hidden Command & Control

- Blue Coat Labs

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 10

ASSURE THE HIGHEST LEVEL OF ENCRYPTED SECURITY• Support for the latest cryptographic standards

• Timely and complete coverage: 70+ cipher suites and key exchanges supported

• e.g. AES-GCM, ChaCha, Camellia

• Maintain security posture• Do not modify the existing infrastructure

security posture• No “downgrading” of cryptography – utilize

what’s established• No “replay vulnerable” RSA forced for key exchange

• Ensure compliance• No exposure or vulnerability of decrypted data

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 11

ENHANCES EXISTING SECURITY PRODUCTS VISIBILITY AND ROI

NGFWForensicsAnti-Malware IDS / IPS DLP

Global Intelligence Network

Policy categoriesWW malware reporting & blocking

DECRYPT ONCE --- FEED MANY

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 12

PRESERVE PRIVACY AND COMPLIANCE WHILE ENABLING SECURITY

Selective Decryption enables ‘Blacklist’ and ‘Whitelist’ Policies

• Host Categorization Service

• Leverages the Blue Coat Global Intelligence Network

• Utilizes 80+ categories, in 55 languages

• Processes +1.2B web and file requests per day

• Easily customizable per regional and organizational needs

Policy Examples• Block or decrypt traffic from suspicious

sites and known malnets

• Bypass / Do not decrypt financial and banking-related traffic

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 13

SSL DECRYPTION – TWO APPROACHESInbound SSL Decryption

Origin: from the InternetDestination: your hosted services

• Web Servers• Email Servers• Customer Web Portals

Outbound SSL Decryption

Origin: inside your networkDestination: to the internet

• Outbound Encrypted Internet Traffic• Encrypted Email• Shadow IT (SaaS)

ClientsHosted Services

Security Solution

Internet

Providing Visibility for the Entire Security Stack…IPS – IDS – APT – DLP – APM – SEIM – Full Packet Capture

Security Solution

Internet

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 14

Model is per-Segment(not per-appliance)

• Passive-Tap• Inbound only

• Passive-Inline• Inbound and Outbound• Max 2 passive tools

• Active-Inline• Inbound and Outbound• Active tool(s)• Max 2 passive tools

SSL VISIBILITY APPLIANCEDEPLOYMENT MODELS

Active-Inline

Passive-Tap

Passive-Inline

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 15

SSL VISIBILITY APPLIANCE COMMON USE CASE1. Identify all inbound and outbound

SSL / TLS traffic

2. Utilize the Global Intelligence Network

3. Establish category-based policies to selectively decrypt SSL traffic and maintain compliance

4. Feed existing security solutions to expose potential threats• Avoid high capacity upgrade costs• Extend security infrastructure investment• Assures data integrity of traffic –

auditable “loopback”

GATEWAY / FIREWALL

CLIENT

CORPORATE SERVERS

SSL VISIBILITY APPLIANCE

CLIENT

GLOBAL INTELLIGENCE NETWORK

Encrypted trafficDecrypted traffic

INTERNET SERVER

NG IPS

SANDBOX

SECURITY ANALYTICS

❶

❹❸

❷

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 16

SSL VISIBILITY APPLIANCE FAMILY

Function SV800-250M SV800-500M SV1800 SV2800 SV3800

Total Packet Processing 8 Gbps 8 Gbps 8 Gbps 20 Gbps 40 Gbps

SSL Visibility Throughput 250 Mbps 500 Mbps 1.5 Gbps 2.5 Gbps 4 Gbps

Concurrent SSL Flow States (CPS) 20,000 20,000 100,000 200,000 400,000

New Full Handshake SSL sessions (CPS) (i.e. Setups / Tear Downs)• 1024-bit keys• 2048- bit keys

• 1,000• 1,000

• 2,000• 2,000

• 7,500• 3,000

• 10,500• 3,000

• 12,500• 6,000

Configurations Fixed Fixed Fixed Modular 3 Slots Modular 7 Slots

Input / Output 8

10/100/1000 Copper(fixed)

810/100/1000

Copper(fixed)

810/100/1000 Copper

or Fiber(fixed)

2x10G-Fiber, 4x1G Copper, 4x1G Fiber

Network Mods

2x10G-Fiber, 4x1G Copper, 4x1G Fiber

Network Mods

Resiliency Fail-to-Wire (FTW) / Fail-to-Appliance (FTA) FTW / FTA FTW / FTA FTW / FTA FTW / FTA

Network Modules / Net Mods (USD)

• 4 port copper 1G : NTMD-SV-4x1G-C• 4 port fiber 1G : NTMD-SV-4x1G-F• 2 port fiber 10G SR : NTMD-SV-2x10G-SR• 2 port fiber 10G LR : NTMD-SV-2x10G-LR

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 17

IPS REFRESH OPPORTUNITYGlobal Financial Services Firm• Pain Points

• Lack of visibility into SSL/TLS encrypted traffic• Compliance adherence and risks• Increasing Advanced Persistent Threats (APTs) and malware attacks

• Solution• “Decrypt Once-Feed Many” design supporting Cisco/Sourcefire IPS

and FireEye solutions• Existing Blue Coat ProxySG and AV customer looking for continued

WebPulse / Global Intelligence Network collaboration

• Results• Over 25 SSL Visibility Appliances deployed across North America,

LATAM and Europe• Satisfied customer with a globally secure network that enhances

and complements their existing solutions

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 18

BLIND SPOT : MULTIPLE TOOLS + HR/LEGALUS-based Fortune 50 Company• Pain Points

• Realized they have massive blind spots with their IPS (HP), forensics (RSA NetWitness) and malware analysis (FireEye) solutions

• Faced confusion regarding SSL offload and “back-to-back” solutions (e.g. A10, F5)

• Spent 4 months trying to make F5 work

• Solution• Blue Coat educated customer on ETM• Addressed Legal Dept. concerns with Host Categorization• Quickly Shipped Equipment • POC set up and showed the value in just 3.5 hours

• Results• 24 SV2800 appliances in < 60 days• Satisfied customer with a secure network that enhances and

complements their existing security solutions

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 19

Pain Points • Rapid growth of SSL required strengthened security posture• Current use of Palo Alto NGFW w/ IDS/IPS was insufficient due to

poor performance and no support for Venafi cert/key management• PAN H/W upgrades were significantly over budget

• 2 month deadline for current FY

Solution• SSL Visibility Appliances feed PAN NGFW+IDS and support Venafi

Trust Protection Platform• “Decrypt Once-Feed Many” architecture allows future growth • Additional security projects in discussion

Results• 5 SSL Visibility Appliances delivered in 3 weeks• Satisfied customer with a newly enhanced secure network that

complements their existing solutions within budget

NG** - SOMETIMES ALL IN ONE --- ISN’T ALL IN ONERegional Bank / Financial Firm

• +1000 server infrastructure supporting +8000 employees

• Using Venafi to distribute, validate and manage cryptographic certs & keys

• Longtime Blue Coat customer

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 20

RAMIFICATIONS OF SSL / TLS GROWTH• Ignoring encrypted traffic

• Increases data security and governance risk

• Inbound infestation• Outbound data exfiltration

• Inspecting encrypted traffic• Invokes regulatory compliance

• Numerous regulations per industry

• Adds complexity and CapEx / OpEx costs

• Decreases ROI of the infrastructure

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 21

ENCRYPTED TRAFFIC MANAGEMENT:A SECURITY NECESSITY• Encrypted Traffic growing, advanced threats increasingly use encryption and

most security solutions are “blind” to SSL or cause degraded performance or Crypto.

• Encrypted Traffic Management – Blue Coat

• Eliminate the encrypted traffic blind spot

• Assure high security encryption

• Cost-effectively enhance the existing security infrastructure (ROI)

• Preserve privacy and compliance while enabling comprehensive security

Copyright © 2015 Blue Coat Systems Inc. All Rights Reserved. 22

ENCRYPTED TRAFFIC MANAGEMENT: FOR MORE INFORMATION• Understanding the Impact of SSL/TLS Encryption

and Mitigation Options• Blue Coat “The Visibility Void”• Gartner report “Security Leaders Must Address

Threats from Rising SSL Traffic”• SANS white paper “Finding Hidden Threats

by Decrypting SSL” • ETM for Dummies book

• Balancing Data Privacy with Security• Securosis white paper “Security and Privacy

on the Encrypted Network”

• SSL/TLS Performance Analyses• NSS Labs report “SSL Performance Problems”

www.bluecoat.com/uncoverssl

GOT SSL?WWW.BLUECOAT.COM/UNCOVERSSL