Is Encryption an NTA / NIDS / NFT Apocalypse?

Here is a funny one: does pervasive traffic encryption KILL Network Traffic Analysis (NTA) dead?

Well, OK, not truly “kill it dead,” but push it back to 2002 when it was called “N-BAD” [“a coincidence? I think not”] and was solely Layer-3/flow/netflow-based. Back then, it was considered either a niche security technology or a luxury with a market of barely any millions [this of course excludes non-security focused traffic monitoring that Gartner calls NPMD].

We’ve been asking different people this question in different forms and we’ve heard very different things (all quotes below are made up, these are genericized versions of the things we’ve heard):

1. “Yes, network encryption and especially TLS 1.3 will doom content inspection. Do not buy NTA, the boxes will be doorstops soon” [some say that TLS 1.3 only kills NFT and not NTA due to making stored data decryption dramatically harder if at all possible; cert pinning makes both hard, but you can work around it]
2. “No… SSL/TLS is old hat, and much of our internal traffic (East – West) remains plaintext – so NTA will work here for many years” [a very past-looking view, but much of IT is in the past, so perhaps OK?]
3. “Well, we only do flow-based ‘NTA’ anyway because of some privacy mumbo-jumbo, so encryption does not make it any worse.” [this is a fairly sane view, but this is akin to saying “return to 2002 won’t harm us since we in fact live in 2002”]
4. “In fact, we can analyze encrypted traffic data by using a tamed, but proprietary vendor magic unicorn or open–source (JA3)” [TRUE] and “It works as well as plaintext analysis” [100% FALSE!]

From the above list, the path #4 is the most exciting to watch, of course. I am really curious how far we can go with analytics, data science and machine learning to try to glean security-relevant insight from encrypted and shallow data.

So, what can we conclude? You can:

• Keep fighting the MitM / decryption battles and you will win some and lose some, but will eventually lose the war. Will it be in 2021 or 2030? No idea when, but it will happen.
• Push hard for your vendor to improve encrypted data analytics and the level of insight derived from flow-/header-level traffic data – but be aware of the hard limits of this path.
• Accept that NTA will deliver less in the future due to disappearance of most (but not all) layer-7/content visibility.
• Stick to the endpoint and toss your NTA out of the window (example).

Enjoy!

Blog posts related to NTA, NDR and this research:

• NTA: The Big Step Theory
• Network Anomaly Detection Track Record in Real Life?
• Endpoint Has Won, Why Bother With NTA? (by Augusto)
• Can We Have NDR, Please?
• NTA: The Other IDS?
• Next Research: Deception and Network Traffic Analysis

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2018/11/16/is-encryption-an-nta-nids-nft-apocalypse/