SecurIT 2019: In an increasingly-encrypted world, visibility is more important than ever

Just as many CSOs are focused on automating their organisational threat response, many others are focused on improving their visibility of network traffic – which, with encryption increasingly used to protect legitimate application traffic and obfuscate malware command-and-control (C&C) traffic, has become ever more difficult to do.

Visibility was the topic of an engaging panel at which Al-Bassam joined James Ng, head of Telstra’s Cyber Security Governance and Risk team as well as acting CISO of telco venture Belong; Preston Hogue, director of security marketing with F5; and Shafqat Mehmood, cyber threat intelligence and incident response manager with Australian Unity.

All shared different perspectives on helping keep up with the increasing flood of botnet traffic that had grown out of cybercriminals’ increasing use of automation, and often fuelled the creation of malicious networks that used encryption to operate right under the eyes of visibility-challenged CSOs.

Botnet traffic has become so common, said Hogue, that “we go into a lot of customers and turn on bot protection, and they have such a drastic drop in their overall traffic that they think we’ve implemented the control inappropriately.”

“Once that traffic gets in, it is all essentially consuming compute, consuming resources and costing the organisation dollars – but is not providing any form of benefit. So you see why you want to be able to identify those bots as far out towards the edge as you can – and implement enforcement points as far out as possible, as well.”

Like many organisations, Australian Unity has been focused heavily on bolstering endpoint protection to prevent many forms of attack traffic from ever getting onto the company network. In a zero-trust network environment, this meant always monitoring traffic to mobile devices as well as other endpoints.

“Encryption and obfuscation of C&C traffic presents a serious challenge to valid traffic,” Mehmood explained. “The first and best option is to detect at the endpoint level, where [malicious] applications have not yet started to communicate. The second approach is to use proxies to decrypt and get this traffic at the proxy level.”

Al-Bassam was sceptical about the degree to which endpoint protection can block all threats, however, noting that “it’s quite easy to create malware that evades signature and pattern-based recognition.”