Most of the things we do on the internet – buying things, transferring to a supplier, or sending a confidential email – rely on transferring data securely. For all of this, we rely on Transport Layer Security (TLS), the protocol that enables the security and privacy of online transactions through encryption.
In August 2018, the most recent version, TLS 1.3, was approved as a standard by the Internet Engineering Task Force – an international community working on the evolution of the internet’s architecture. The adoption has so far been swift. An Enterprise Management Associates survey found that, as of the end of 2018, the majority (73 percent) of enterprises are either already working on enabling the updated protocol for inbound connections, or are planning to do so.
TLS 1.3 was introduced to solve some of the issues seen in the previous version; it’s designed to bring better performance, privacy and security for internet users. However, there’s a fear that the new protocol may have an impact on being able to effectively monitor your organization’s networks.
Network-based protection before TLS 1.3
Your company’s network probably includes many different devices like laptops, servers and mobile devices. Each device needs its own endpoint protection. But to protect the entire infrastructure, you need to implement network security solutions at the perimeter. These can be next-generation firewalls or intrusion prevention systems, through to data-leak prevention and deep-packet inspection systems.
These solutions often rely on a man-in-the-middle (MITM) approach. Here’s how it works: a network security device – known as a middlebox – acts as an intermediary. It intercepts a request sent from an endpoint, understands what a destination resource is and connects to it. By analyzing the server certificate, the middlebox understands if the resource is legitimate or not. After that, it creates another certificate to communicate back to the client. Once it has both certificates, it then decrypts the previously encrypted traffic to analyze it. To send data back to the server, it encrypts it again to maintain privacy. This process allows the solutions at the perimeter to control what’s happening over the network and prevent malware downloading or detect intrusions, and – crucially – avoid data leaks.
How TLS 1.3 ‘breaks’ network security
TLS 1.3 provides improved security by removing legacy features and delivering stronger standards for encryption. But these new features create other risks. For example, it prevents MITM-type attacks when a malefactor intercepts a message, but this makes it impossible for organizations to look into the traffic flowing in and out of the middlebox.
TLS 1.3 encrypts certain values which were sent in unencrypted clear text previously, including messages to establish a connection between the server and client. Most importantly, encryption also touches the certificate message. As a result, middleboxes can’t see the server certificate to understand where the endpoint is trying to connect to and can’t decrypt all the data.
Another issue is eliminating the static key which allows the middlebox to decrypt data. Under TLS 1.3, it’s replaced with a new mechanism of exchanging unique keys for each session established between the endpoint and server. This means that the network security tool can’t decrypt and control the traffic.
So will all middlebox devices become bricks? Not just yet. They can still analyze metadata – such as packet size or ports that initiate the communication – which could be indirect indicators of malicious actions, but TLS 1.3 will significantly impact their visibility over the network.
How to get ready for the shift to TLS 1.3
TLS 1.3 is a big step forward. Vulnerabilities in outdated ciphers, which could otherwise be leveraged by cybercriminals, will be removed. Latency will be reduced, making online communications faster and more secure.
TLS 1.3 is already gaining traction, so enterprises need to act now to adapt to the upcoming changes. There’s no silver bullet to replace network monitoring. You need to rethink your enterprise’s approach to protection and focus on areas you may not have paid much attention to before. Here’s what you should do now to protect your business.
As it’s harder to decrypt network traffic, focus more on endpoint-level security. Endpoints are the most common entry points for intruders. In addition to indispensable Endpoint Protection Platforms, install an Endpoint Detection and Response (EDR) solution to detect and quickly respond to complex incidents. For visibility over your entire IT infrastructure, it’s essential to monitor logs from endpoints. To deal with this volume, use a solution that can automatically collect and analyze records. EDR allows endpoint data to be stored centrally and provides access to it, which is useful for the post-mortem after an incident has happened.
Invest in your experts
But you can’t rely on technical security solutions alone, focus on your team too. Since network detection may become weaker with TLS 1.3, focus more on your response capabilities and provide training to your teams. Access to actionable and regularly updated threat intelligence can help teams to analyze incidents more quickly and efficiently. If you lack these specialists internally, it is best to outsource this function.
To detect and manage threats effectively, internal security specialists need up-to-date skills and knowledge. Specialist training will help to improve their expertise. Security awareness initiatives teach all employees how to avoid putting the company at risk. This helps to reduce the number of incidents caused by what is often the weakest endpoint of all: human error.
TLS 1.3 brings many benefits to end-users and ultimately will help the business too. But you’ll need to double-down your efforts on internal cybersecurity to keep your organization safe to fully embrace its benefits.