<iframe src="//www.googletagmanager.com/ns.html?id=GTM-TR8PWW" height="0" width="0" style="display:none;visibility:hidden">

How misplaced trust can render your DLP ineffective

By Tommi Lampila on August, 18 2015
Tommi Lampila

Vice President, APACTommi serves as Vice President, APAC and is responsible for sales, business development and channel operations for the region. During his 15 years at the company, Tommi has worked as a product manager for multiple network encryption, authentication, and security management solutions.

Prior to SSH Communications Security, Tommi was an Information Management Engineer at Rautaruukki, a large Finnish steel corporation. He has an masters degree in engineering from the Tampere University of Technology, Finland and carries a CISSP certification.

Enabling Data Loss Prevention Tools for Encrypted Channels and File Transfers

Year 2015 marks the 20th anniversary of the first release of the Secure Shell protocol.  Network encryption has become ubiquitous over the last two decades, driving critical communications and transactions within and between networks. Consumers use encrypted communications on a daily basis – often unwittingly – to communicate securely with their peers and to purchase goods and services online. Enterprises encrypt critical transactions between business applications and file transfers of sensitive business data. 

Encryption of privileged user access and the transfer of sensitive customer and financial data is recognized as a baseline security control mandated by compliance programs governing the payment card and banking industries. Most organizations have deployed network encryption to fulfill these security and compliance policies, and to protect the integrity of their business operations. Network encryption is a vital aspect of today’s global communications, transparently entwined in the very DNA of our digital work and life – but it does represent a double-edged sword. The other "edge" of encryption being that it does exactly what one would think – protecting session contents from examination between the communication end-points, rendering network defenses ineffective. 

Learn more about CryptoAuditor


There are multiple layers of network security controls with very good reasons for inspecting traffic that flows between an organization’s network segments. Intrusion Detection and Prevention solutions inspect network traffic for potential malicious activities and policy violations. Anti-malware software inspects packets and transferred files for viruses and other malicious software. Firewalls prevent unauthorized traffic from crossing network boundaries, while Data Loss Prevention systems scan outbound connections to prevent sensitive contents such as credit card or social security numbers from being leaked outside the organization.

Network encryption prevents these security controls from inspecting the traffic contents, effectively creating holes and blind spots in critical security controls. Encrypted channels, the arteries that drive critical business operations, may provide attractive covert channels for infiltrating the network and exfiltrating stolen data – unless they are managed and audited effectively through privileged access management (PAM) tools.

 A Trusted Audit-Point for full DLP Enablement

The ability to inspect and audit contents of encrypted traffic is a valid requirement for many organizations, and is in fact an essential requirement of meeting the compliance mandates they are being governed by. For enabling security services such as Data Loss Prevention to inspect and act upon encrypted traffic, access to the unencrypted traffic content is required. This can be implemented by introducing trusted audit points that are paired with the DLP solution. These audit points need to have the following capabilities

  1. Unencrypt the network traffic, and to provide it to the DLP appliance in an unencrypted format that the DLP understands. The audit-point needs to be able to inspect and act on both interactive terminal access and file transfers.
  2. Act on the return values sent by the DLP based on inspection of the traffic contents vs. the DLP policy rules – to allow or deny the traffic, and to send corresponding alerts to e.g. a SIEM solution.
  3. Transparency – the audit point needs to be able to be deployed in-line to the original traffic with as little changes to network topology, business processes, applications, or user experience. Forcing changes to these can be surprisingly expensive and incur change resistance from business and network owners.
  4. The audit-point can provide additional services such as session recording of privileged-user activities for e.g. incident response, troubleshooting or peer review.
  5. The audit-points need to be flexibly deployable in today’s dynamic network and IT environments, from in-premise to cloud environments. Multiple audit-points need to be able to feed alerts and audit trails to a centralized and secure storage, indexing, and reporting component.
  6. The centralized storage and reporting component is to incorporate effective policies and role-based access controls for search and playback of the sensitive audit trails.
  7. Ability to openly integrate to multiple third-party DLP solutions, to avoid vendor lock-in.
  8. The audit-point needs to be independent from the traffic end-points. It cannot rely on specific client-side software or server-side agent components. These can be compromised, turned off, and incur prohibitive deployment costs in large and dynamic environments.

Such an audit-point and audit-trail storage framework naturally needs to be deployed in conjunction with stringent role-based access policies governing access to the unencrypted traffic and recorded audit-trails, as the original intent of network encryption is to provide confidentiality for sensitive traffic contents. Privacy and compliance mandates and legislation need to be taken into account, and documented processes for e.g. incident response and audit activities need to be enforced.


Learn more about CryptoAuditor


The Solution: CryptoAuditor (CrA)

SSH Communications Security created CryptoAuditor to enable solutions such as DLP to inspect and act upon encrypted traffic. The CryptoAuditor solution is a network appliance consisting of a centralized Vault that provides secure storage, indexing, and reporting of audit trails, in addition to one or more audit points called Hounds. These Hounds can be paired up with a DLP solution, to create a powerful audit and control point for encrypted traffic.

Running several distributed Hound components also provides means for scaling up the monitoring capacity, enabling organizations to protect the critical resources in their networks by placing Hound components strategically. Hounds can inspect up to 6000 concurrent SSH sessions, over 500 RDP or tens of thousands of HTTPS connections each. Since Hounds are virtual appliances, they can be replicated to meet the scale required by any network.

The CryptoAuditor Hounds integrate with the DLP solution using ICAP (Internet Content Adaptation Protocol). As it is not recommended to send unencrypted traffic over the corporate network, the Hound and the DLP solution are recommended to be deployed with a direct link between the components. CryptoAuditor supports this out of the box with a dedicated network interface.

Encrypted SSH or SFTP traffic that is passed through the Hound is subjected to the following operations:

  1. The Hound decrypts the traffic and provides a copy of the unencrypted contents (this can be done transparently, with the Hound providing a copy of the SSH server host key of the communication end-point – otherwise a “host-key has changed” message is presented to the client-side).
  2. The DLP solution inspects the traffic against its internal rule database and connects back to the Hound with an Allow or Deny return value. Potential scenarios that can be implemented are:
  • Inspection of file transfers for unauthorized content such as credit card or social security numbers
  • Matching SSH terminal commands against black-listed commands
  • Preventing unauthorized contents from being output to the terminal
  1. The Hound either allows or denies the traffic and content based on the DLP return value.
  2. The Hound stores session metadata, optionally a full session recording for future reconstruction or even live over-the-shoulder view of privileged access.

The CryptoAuditor solution enables DLP, and other layered security controls such as anti-malware, to inspect and act upon encrypted traffic – extending the reach of these solutions to cover the full range of network activities and allowing organizations to gain the full value of their investments into network security technologies. It is a must-have component for enterprises that are subject to compliance requirements mandating privileged access monitoring, and for organizations that want to safeguard critical data such as personal information. It is also a must-have component in networks that serve user-provided content directly to other end users, or allow shell access to shared resources. CryptoAuditor is certified to work with several commercial DLP and SIEM solutions, including McAfee™ WebGateway and Enterprise Security Manager, RSA™ Analytics, and obviously works with any standard ICAP-based tool.

Evaluating and scaling up CryptoAuditor is very quick thanks to its availability through the Amazon Web Services Marketplace. With the AWS Marketplace 1-click deployment, a simple proof-of-concept can be ramped up in less than 30 minutes, without impacting any existing operations. As to other purchasing and evaluation options, including running the appliance on-premise, our sales team will be happy to help in finding the right solution for your organization. 


CryptoAuditor is now available on 1-click deployment via Amazon Web Services Marketplace. CryptoAuditor is a registered trademark of SSH Communications Security.

Learn more about CryptoAuditor  




Submit a Comment

Stay up to date