This year at RSA Conference, I had the privilege of presenting a technical session on the implications of TLS 1.3 for security operations visibility along with Josh Northrup at Fiserv, an important ExtraHop customer that worked with us to test and refine a highly scalable solution for TLS 1.3 decryption.
The talk was well-received so I wanted to share it with the hope of benefiting a broader audience, especially organizations that are considering their options for handling TLS 1.3. I've outlined the presentation below, but the slides and a video recording are available on the RSA Conference session page: The Network Is Going Dark: Why Decryption Matters for SecOps
- Introduction
- The trend is toward total encryption of network traffic both on the Internet and within datacenter, cloud, and campus environments
- TLS 1.3 is more secure, but creates challenges for out-of-band monitoring by using ephemeral session keys
- Options for organizations
- Analysis of encrypted traffic using fingerprinting and other techniques
- Man-in-the-middle appliances to break and inspect encrypted traffic
- Session-key forwarding for local services
- My recommendations
- For user and BYOD traffic, use the break-and-inspect method
- For local services that you control, use session-key forwarding at choke points such as application delivery controllers and proxies
- Fiserv deployment of session-key forwarding
- Large deployment with 3,500+ servers and 6,000 sessions per second across multiple data centers
- Not just for HTTPS, but also services such as LDAP
- Session-key forwarders are built into the automation framework