Whether you are a small business operating from a single office or a global enterprise with a huge, distributed corporate network, not inspecting inbound and outbound encrypted traffic can be a costly mistake as cybercriminals increasingly use plus TLS (Transport Layer Security) in their attacks.
Case in point: In Q1 2020, 23% of malware detected by Sophos used TLS to mask malicious communications. Barely a year later, this percentage has almost doubled (45%)!
TLS encryption: for better or for worse
The widespread use of TLS encryption prevents criminals from stealing or tampering with sensitive data and impersonating legitimate organizations online. Unfortunately, it can also allow malware to slip under the radar and hide from company IT security teams and the tools they use.
“Much of the growth in the overall use of TLS by malware may be linked in part to the increased use of legitimate TLS-protected web and cloud services, such as Discord, Pastebin, Github, and the cloud services of Google, as repositories of malicious components, as destinations for stolen data, and even to send commands to botnets and other malware, ” Noted Sean Gallagher, Senior Threat Researcher at Sophos.
“It’s also related to the increased use of Tor and other TLS-based network proxies to encapsulate malicious communications between malware and the actors who deploy it.”
The company has also seen an increase in the use of TLS in manually deployed ransomware attacks, in part because attackers use modular offensive tools (eg, Metasploit, Cobalt Strike) that exploit HTTPS.
In general, however, the majority of malicious encrypted communications detected came from droppers, loaders, and other malware whose function is to download additional malware onto the infected system, which means decryption, inspection and Early recognition of the nature of this traffic is essential to ensure the security of corporate systems and networks.
But despite the obvious benefits, many organizations are reluctant to perform deep packet inspection of their inbound and outbound network traffic. They have privacy concerns, fear this practice will lead to a degraded user experience, and think it is too complex to manage. Most of the time, however, they’re worried that their firewall just can’t handle it.
For these, Sophos offers a solution that has been developed over many years: a new series of firewall appliances that offer TLS inspection capabilities up to five times the speed of other models currently on the market. . The new appliances accelerate trusted traffic that doesn’t need to be scanned and focus its deep inspection of high-speed streaming packets on the rest.
Meet the needs for speed, precision and flexibility
the recently unveiled Sophos XGS family of firewall appliances can inspect TLS traffic on all protocols and ports, as various malware are known to use non-standard IP ports for communication.
As Gallagher noted, “TLS can be implemented on any assignable IP port, and after the initial negotiation, it looks like any other TCP application traffic.”
The XGS series also includes native support for TLS 1.3 and new Xstream stream processors to accelerate trusted traffic and improve the overall performance of important business applications. These are also programmable by software.
“We wanted to make sure that the processing unit wasn’t something that can only be coded once. This means that you can get firmware updates from us that can change the way the chip scans and looks for certain types of packets (and therefore, it can speed up those packets based on new changes) or, alternatively, you can schedule some policies yourself to take advantage of the offload, ”Daniel Cole, senior director of product management at Sophos, told Help Net Security.
Another advantage of these new firewall appliances is their modularity: you can combine the ports and the number of interfaces to adapt the connectivity preferences through the Flexi Port expansion arrays.
“You are a customer and your network is growing. Maybe you had a switch and 20 users, and now you have a hundred users and five switches, and some of them are 10 Gigabit switches with interfaces for your VLAN aggregation. Or maybe you want to do a 4G LTE backup. Either way, Flexi Port modules allow you to upgrade your current hardware model and, in fact, protect your initial investment, ”Cole pointed out.
The XGS series appliances are FIPS compliant, easy to configure and manage through the Sophos Central cloud management platform. They can also be platform independent, for example when used by institutions that are required to keep their networks open. These appliances can be updated with regularly uploaded signatures manually or via script.
But most Sophos customers prefer to bring their firewalls online and connect them to Sophos Central, says Cole, for better visibility, management and reporting.
Last but not least – the XGS Series appliances offer exceptional protection against zero-day threats, identifying and stopping known and potential advanced threats (including ransomware).
Capacity is powered by the device’s Xstream architecture, Sophos threat intelligence and ML-based logic (via SophosLabs Intelix) and threat data (via SophosLabs).
“Many network security companies do not have access to the level and extent of data Sophos can collect from endpoints around the world – and we have collected and analyzed different types of malware, from different landscapes, petabytes and petabytes. data for the past 30 years, ”noted Cole.
By combining this wealth of threat intelligence with the quick results Intelix delivers after blasting suspicious files in a sandbox, he’s convinced the XGS series of devices are best-in-class for zero protection. -day.