Freely subscribe to our NEWSLETTER

"New research confirms what has become clear over the last year: 75% of enterprises are wasting their security budgets - unable to look inside of encrypted traffic to find bad guys hiding! (At least this reveals honest professionals are willing to admit the gaps in their security foundations.) With almost half of attacks using encrypted traffic, we’ve already reached Gartner’s prediction that 50% of network attacks will use SSL/TLS by 2017. This failure means that much of investments on NGFWs, sandbox, behavior analytics and other sexy security systems are being wasted. The hard work of finding TLS/SSL keys and certificates and making SSL inspection work is at the core of cybersecurity, but a challenge that continues to be overlooked.

The inability to decrypt incoming and cross network traffic is driven by the chaos of using keys and certificates. We – security professionals – have created the blindspot. This A10 and Ponemon Institute study makes it clear that insufficient resources and automated controls are creating a nearly insane situation: we keep adding more keys and certificates and more encryption, yet can’t look inside. How could any administrator gather and keep up with the growing amount of keys and certificates needed to enable decryption? Businesses are turning on encryption by default. Initiatives like Let’s Encrypt have made the cost of a certificate zero, which creates a dangerous scenario. Venafi customers reported finding almost 16,500 UNKOWN TLS/SSL keys and certificates – that’s encrypted traffic that wasn’t even known about. And keys and certificates are growing at least 20% year over year – with at least 23,000 TLS/SSL keys and certificates used in every Global 2000 company. DevOps and cloud, with micro-services and elastic computing, are only going to increase the amount of keys and certificates and TLS traffic even faster. The problem will only get worse before it gets better.

Threats will only continue to increase until we deploy the security controls 1) needed to decrypt traffic 2) feed automatically keys and certificates needed for decryption. No human can keep up with first gathering keys and certificates in a larger organization, keeping them safe and then working to keep them updated as they expire and are replaced each week. Even if multiple full-time employees are applied to the problem, they won’t be able to find all the TLS/SSL and take stock of existing keys and certificates to identify bad guys hiding in encrypted traffic.

Unfortunately, this problem is a blind spot that we’ve continued to ignore. A great example of this is the US federal government (the UK has done the same) requirement that all website use keys and certificates to enable encrypted HTTPS by December 31, 2016. The US CIO issued requirements for adding encryption, but completely failed to provide guidance on how to defend against attackers hiding in all of this new encrypted traffic. Never was this problem or how to address it mentioned. Never.

It’s the best time to be a bad guy! And unfortunately even 90% of CIOs understand that they are vulnerable to attacks hiding in encrypted traffic AND wasting millions, all while security controls sit idle and bad guys gain the upper hand! We’ve got to address and eliminate this blind spot, stop ignoring the problem and thinking sanely that we must enable SSL inspection. We need to be able to inspect traffic and automate the secure issuance and distribution of key and certificates to shine a light on attackers and eliminate the possibility of bad guys hiding in encrypted traffic."