SSL Break and Inspect (B&I) has always been a point of contention in the security world. On the one hand, we have the network security teams saying, “We should inspect everything on our network and not allow anything that we cannot inspect.” And on the other hand, endpoint teams (server, desktop, and IoT) are saying, “We use SSL for a reason so no one can break in and man-in-the-middle our traffic.”
Looking at this from the larger viewpoint of endpoint security, SSL and B&I are both needed and have their place. Considering even the strongest endpoint security software, the risks vary from device to device and the same level of risk cannot be assumed for all devices and software. So, if the risk of a compromised device is high, and the cost impact of a compromise would be greater than the cost of mitigation (via B&I), then in my mind B&I is required. It is a matter of closing the door to or countering the attack techniques of bad actors, including insider threats.
So, let’s talk about techniques and risks that are mitigated by B&I, and then hopefully you can decide whether it is worth accepting the risk or if you should go ahead and implement B&I. While MITRE ATT&CK specifies a few techniques that are mitigated by SSL (see https://attack.mitre.org/mitigations/M1020/), I would like to get into a little more detail. Here are a few additional scenarios that SSL B&I can help to mitigate:
Social media ads are often a channel for some of these techniques, along with the “Big Three” cloud providers’ hosts. We cannot realistically block all social media or major cloud providers, so B&I is more a realistic mitigation.
Now it is not all rainbows and butterflies in the B&I world, don’t get me wrong. B&I is the most computationally heavy process that I know of in the network and security space today. In addition, when it comes to all the deep inspection processes needed, we are talking about tremendous resources that will impact the user experience. This deep inspection is just one part of the puzzle, where there are multiple other pieces: application level firewall, inspection for viruses and malware, DLP, as well as evaluation of user rights to access and send content. With all that said, the security industry and implementers must keep in mind that the security architecture should not compromise the network’s resilience or usability. If either of those two things happen, users and management will turn on you quickly.
Some thoughts to guide you in applying B&I:
By the way, this is never a one-horse show. As mentioned earlier, the combination of B&I with web content & URL filtering, DLP, application inspection, and IPS are all needed on the network security side to work with B&I. But, for risks that cannot be mitigated with this method, segment them off please! And as always, great endpoint security software and a great IoT solution are must-haves in today’s security landscape (be sure to read up on Zero Trust Everywhere.)
Subscribe to the Versa Blog
Gartner Research Report
Trial
ROI
Contact