RSA Quick Take: How Do You Inspect What You Can’t See?

Chester Wisniewski, Principal Research Scientist at Sophos

Chester Wisniewski, Principal Research Scientist at Sophos, posed a question that I couldn’t answer. (And I suspect not a lot of other people at RSA 2018 could answer it, either.) “How do you inspect something you can’t see?”

This is an issue Wisniewski has considered in depth. Sophos had just published its Dirty Secrets of Network Firewalls report, which revealed that IT managers cannot identify 45 percent of their organization’s network traffic. It further found that almost a quarter of them cannot identify 70 percent of their network traffic. Massive breaches like The Panama Papers, where attackers exfiltrated 2.6 terabytes of data from a law firm’s servers without being detected, are predicated on the idea that IT managers don’t usually know what’s leaving their networks.

“At the root, this is a matter of policy conflict,” said Wisniewski. “You have a series of overlapping policies that mandate data encryption in transit but also require packet inspection at the firewall. It’s hard to do both.” According to Wisniewski, the traditional PKI infrastructure and certificate issuing process tends to be cumbersome and doesn’t scale or adapt well to the way organizations rapidly change shape today.

To reconcile policies and achieve the goal of data confidentiality through encryption but preserve the protection against unauthorized data access, Wisniewski suggests getting the endpoints involved to talk to each other. “If you tag the data stream correctly, the firewall can make a yes/no policy decision based on the tags—like, where is this data going, who is it from, what’s in it? It can make the call without seeing the actual data.” This is the approach being adopted by Sophos in its new Endpoint Protection solutions.